this is essentially what i've been doing with my access point and it
works quite nicely.  i have placed my AP within the DMZ on my network,
i don't allow any tcp or udp traffic out of the network unless it's on
port 22 (ssh).  all http traffic is transparently proxied to a web
server which is running on that segment and informs the user that they
cannot use this AP unless they have a tunneling mechanism in place. 

by not allowing any tcp traffic outside of this segment (excepting
ssh traffic) and not allowing anything other than protocol
47/50/51/120 traffic outside of the network you effectively make the
segment useless for anyone who isn't tunneling through to the internet
via an access concentrator at their ISP (or their corporate network).

this model can be extended to allow selectively opening up the network
to folks using techniques like nocatauth or for the adventurous with
hardware to burn pppoe or something else.  (hark - ipsec access for
wug members?)  

for nodes where there are links to other locations within the WUG
network (wireless ptp links) traffic can be tunneled appropriately to
the other location and the remainder of the network. 

this is a very simple, stable and straightforward technique that we
can create cookie-cutter implementations of like we were discussing at
our 2nd meeting.  

jeff - you're not missing out on anything, the problem domain has just
been obfuscated. ;-)


when last we saw our hero (Monday, Aug 05, 2002), 
 Matthew S. Hallacy was madly tapping out:
> On Mon, Aug 05, 2002 at 10:20:53AM -0500, jeffr at odeon.net wrote:
> > 
> 
> [snip good content, see summary]
> 
> > Basic connectivity to the wireless network should be fairly simple
> > for Joe User.  Plug in a wireless nic, configure for DHCP, and
> > you're on the network.  You can't get out to the internet at this
> > point, but you can access any services being provided on the
> > wireless network.  A community intranet of sorts perhaps.  If the
> > user wants to get out to the internet then they either need to
> > figure out how to correctly set up their home network (and be
> > providing an access point on the wireless network) or they need to
> > purchase a gateway service from an ISP.  If they are doing it on
> > there own they could get help from this mailing list, or perhaps
> > the TCLUG mailing list if they are using linux for their firewall.
> > If they are purchasing a service from an ISP, then they can call
> > the ISP for technical support.
> > 
> > Jeff
> 
> Excellent, this is exactly what I've been thinking. 
> 
> 

-- 
steve ulrich                       sulrich at botwerks.org
PGP: 8D0B 0EE9 E700 A6CF ABA7  AE5F 4FD4 07C9 133B FAFC