[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Jonathan Melhuish wrote:
I'm thinking of setting up a public wi-fi hotspot, probably by plugging a network bridge into a second network card on my server, then suitably configuring routing on that box to forward only out to the Internet router and selected services on my server.
Very public spirited.
It'd be nice to have some kind of usage monitoring, just to see if anybody actually uses it and how much of our bandwidth they're using. MTRG looks cool, but it seems to be centred around grabbing stats off SNMP-compatible routers. Can I config it to monitor activity on the local network connections instead?
Do you care? Read the advanced routing docs on bandwidth limiting to make sure they don't tread (too much) on your bandwidth, then you'll only give away what you don't use.
Also, the only thing I don't really want it used for is sending spam. I know it's probably not that big a deal, but presumably rate-limiting the outgoing mail is going to involve setting up my own mail server and configuring it to forward mail out to our ISP's SMTP server?
You could force all port 25 to the ISPs smtp outbound relay using IPtables - it is pretty easy once you know what you want. Our WAP do this for us ;) Indeed they smell very Linux like to me but the interface is more like the "ip" tools command line. Setting up your own mail server would rate limit it to the speed with which your disk can commit data and I don't think you'd want that if it gets busy. Log the packets if you want to check how fast the email rate is - to spot abuse. I think spam is a non-issue - just blacklist the MAC addresses if it happens (AND GO OUT AND BEAT THE PERSON UP - AS THEY'LL BE IN RANGE - NO JURY WOULD EVER CONVICT ;-). The bigger issue is the approach your upstream takes to the incident, but compared to the number of infected Windows boxes, hotspots by people who have a clue are not going to be a big issue.
Also, (whilst I'm at it!) I saw somebody had configured their hotspot so that the first page served through the network was a "welcome" page detailing services available, regardless of what was requested.
We are doing it with authentication built into provider hotspots, but that is probably more work and expense than you want. Some people use fancy DNS stuff to do this - which frightens me. I would have thought try and restrict it to port 80 traffic only. Our professional service will mandate login as we want to be paid, but if you just want to share, don't force a login for non port 80 stuff - that would be a bit like putting a wildcard in the .com zone to find lost web pages, breaks every other protocol for the (dubious) sake of one. Bad Karma. I think SQUID may have some features - have a look. A proxy might be a good thing anyway.
Somebody really ought to make a "wifi-hotspot" Debian superpackage that installs everything you need for a fully featured, secure public hotspot and has a nice easy debconf-based installation. Maybe I ought to have a look into creating some packages... I wouldn't know where to start.
man apt ;)
Attachment:
signature.asc
Description: OpenPGP digital signature