| 1 |
The netgear will do it. you can give it ip addresses to block. look at the |
| 2 |
schedule setups. set them up only to be able to access the internet for, say |
| 3 |
a second on sunday at 3 am, and not for the rest of the time.... |
| 4 |
|
| 5 |
On Saturday 12 November 2005 17:35, Harry Putnam wrote: |
| 6 |
> Hopefully somehere can direct me to where this should be posted or |
| 7 |
> answer it directly. I'm looking to my Gentoo box to solve the problem |
| 8 |
> described below: |
| 9 |
> |
| 10 |
> First: |
| 11 |
> My home lan looks like: |
| 12 |
> |
| 13 |
> |
| 14 |
> INTERNET |
| 15 |
> |
| 16 |
> DSLMODEM |
| 17 |
> |
| 18 |
> ------------- NETGEAR FVS318 fw/router--------------- |
| 19 |
> |
| 20 |
> |
| 21 |
> Mch1 Mch2 mch3 mch4 mch5 |
| 22 |
> Lin win win win win |
| 23 |
> Gentoo |
| 24 |
> |
| 25 |
> Machines 3-5 are heavy hitters for graphics work and are heavily |
| 26 |
> loaded with such things as Photoshop, vegas, canopus Edius, Adobe |
| 27 |
> Illustrator and the like. |
| 28 |
> |
| 29 |
> I don't want to have to worry about spyware,adware,virus prevention |
| 30 |
> firewall stuff competing for resources with the graphics tools. |
| 31 |
> Instead I'd like to prevent those three from contacting the internet. |
| 32 |
> |
| 33 |
> I want to isolate mch3-5 to only the local network. |
| 34 |
> |
| 35 |
> That is, only mch 1 (a linux) machine and mch2 (a winxp pro) machine, |
| 36 |
> should be able to freely access the internet. (Making those secure |
| 37 |
> while doing so is not dicussed here) 3-5 should only be able |
| 38 |
> to talk to/from the local net. |
| 39 |
> |
| 40 |
> I realize this would not be true isolation as anyone getting to 1-2 |
| 41 |
> would have access to 3-5, so all bets are off if that should happen. |
| 42 |
> |
| 43 |
> Its more about having to worry about downloads or link clicks etc with |
| 44 |
> unwanted results. |
| 45 |
> |
| 46 |
> The Netgear FVS318 appears not to be able to do this for me. But I |
| 47 |
> could be wrong there. I see no options that look usefull for it. |
| 48 |
> Blocking of sites might do it but appears it would be a long process |
| 49 |
> setting it up. |
| 50 |
> |
| 51 |
> I'd happily hear that the router can do this. |
| 52 |
> |
| 53 |
> ===================================================== |
| 54 |
> |
| 55 |
> I'm turning to my gentoo box for a solution. |
| 56 |
> |
| 57 |
> However, I'm not interested in setting it up as the router for |
| 58 |
> everthing and ditching the NETGEAR. Its to convenient having |
| 59 |
> something the size of a medium book that makes no noise or heat but |
| 60 |
> can keep all but the most dedicated of script kiddies of my network. |
| 61 |
> |
| 62 |
> I'm thinking I could route machines 3-5 thru it as gateway. |
| 63 |
> The way I work, the gentoo box is always running. I would never be |
| 64 |
> using the others without it running, its just how I work. |
| 65 |
> |
| 66 |
> I know already that Iptables can handle the rulesets needed to get |
| 67 |
> what I want. I'm not sure of the exact rules yet but believe it is at |
| 68 |
> least possible. |
| 69 |
> |
| 70 |
> Now for the questions: |
| 71 |
> |
| 72 |
> Can I route 3-5 thru the Gentoo box without changing the subnet |
| 73 |
> setup? That is, all still remain 192.168.0.0/24. And simply set |
| 74 |
> gateway on 3-5 to point at the gentoo box. Then setup IPtables to |
| 75 |
> prevent those machines from talking beyond local lan in or out. |
| 76 |
> |
| 77 |
> Something like deny everything, then allow only a list of `safe' IPs |
| 78 |
> on the local lan. |
| 79 |
> |
| 80 |
> So again: |
| 81 |
> Can I do all this without hardwiring 3-5 direct to the Gentoo box. |
| 82 |
> That is, just by setting it as gateway on each of them. |
| 83 |
|
| 84 |
-- |
| 85 |
John Jolet |
| 86 |
Your On-Demand IT Department |
| 87 |
512-762-0729 |
| 88 |
www.jolet.net |
| 89 |
john@×××××.net |
| 90 |
-- |
| 91 |
gentoo-user@g.o mailing list |
Archives