1 |
The netgear will do it. you can give it ip addresses to block. look at the |
2 |
schedule setups. set them up only to be able to access the internet for, say |
3 |
a second on sunday at 3 am, and not for the rest of the time.... |
4 |
|
5 |
On Saturday 12 November 2005 17:35, Harry Putnam wrote: |
6 |
> Hopefully somehere can direct me to where this should be posted or |
7 |
> answer it directly. I'm looking to my Gentoo box to solve the problem |
8 |
> described below: |
9 |
> |
10 |
> First: |
11 |
> My home lan looks like: |
12 |
> |
13 |
> |
14 |
> INTERNET |
15 |
> |
16 |
> DSLMODEM |
17 |
> |
18 |
> ------------- NETGEAR FVS318 fw/router--------------- |
19 |
> |
20 |
> |
21 |
> Mch1 Mch2 mch3 mch4 mch5 |
22 |
> Lin win win win win |
23 |
> Gentoo |
24 |
> |
25 |
> Machines 3-5 are heavy hitters for graphics work and are heavily |
26 |
> loaded with such things as Photoshop, vegas, canopus Edius, Adobe |
27 |
> Illustrator and the like. |
28 |
> |
29 |
> I don't want to have to worry about spyware,adware,virus prevention |
30 |
> firewall stuff competing for resources with the graphics tools. |
31 |
> Instead I'd like to prevent those three from contacting the internet. |
32 |
> |
33 |
> I want to isolate mch3-5 to only the local network. |
34 |
> |
35 |
> That is, only mch 1 (a linux) machine and mch2 (a winxp pro) machine, |
36 |
> should be able to freely access the internet. (Making those secure |
37 |
> while doing so is not dicussed here) 3-5 should only be able |
38 |
> to talk to/from the local net. |
39 |
> |
40 |
> I realize this would not be true isolation as anyone getting to 1-2 |
41 |
> would have access to 3-5, so all bets are off if that should happen. |
42 |
> |
43 |
> Its more about having to worry about downloads or link clicks etc with |
44 |
> unwanted results. |
45 |
> |
46 |
> The Netgear FVS318 appears not to be able to do this for me. But I |
47 |
> could be wrong there. I see no options that look usefull for it. |
48 |
> Blocking of sites might do it but appears it would be a long process |
49 |
> setting it up. |
50 |
> |
51 |
> I'd happily hear that the router can do this. |
52 |
> |
53 |
> ===================================================== |
54 |
> |
55 |
> I'm turning to my gentoo box for a solution. |
56 |
> |
57 |
> However, I'm not interested in setting it up as the router for |
58 |
> everthing and ditching the NETGEAR. Its to convenient having |
59 |
> something the size of a medium book that makes no noise or heat but |
60 |
> can keep all but the most dedicated of script kiddies of my network. |
61 |
> |
62 |
> I'm thinking I could route machines 3-5 thru it as gateway. |
63 |
> The way I work, the gentoo box is always running. I would never be |
64 |
> using the others without it running, its just how I work. |
65 |
> |
66 |
> I know already that Iptables can handle the rulesets needed to get |
67 |
> what I want. I'm not sure of the exact rules yet but believe it is at |
68 |
> least possible. |
69 |
> |
70 |
> Now for the questions: |
71 |
> |
72 |
> Can I route 3-5 thru the Gentoo box without changing the subnet |
73 |
> setup? That is, all still remain 192.168.0.0/24. And simply set |
74 |
> gateway on 3-5 to point at the gentoo box. Then setup IPtables to |
75 |
> prevent those machines from talking beyond local lan in or out. |
76 |
> |
77 |
> Something like deny everything, then allow only a list of `safe' IPs |
78 |
> on the local lan. |
79 |
> |
80 |
> So again: |
81 |
> Can I do all this without hardwiring 3-5 direct to the Gentoo box. |
82 |
> That is, just by setting it as gateway on each of them. |
83 |
|
84 |
-- |
85 |
John Jolet |
86 |
Your On-Demand IT Department |
87 |
512-762-0729 |
88 |
www.jolet.net |
89 |
john@×××××.net |
90 |
-- |
91 |
gentoo-user@g.o mailing list |