[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall package for laptop wi-fi client

On Tue, 25 Jan 2011 15:00:36 -0500
Celejar <celejar@gmail.com> wrote:

> On Tue, 25 Jan 2011 12:51:15 +0000 (UTC)
> Camaleón <noelamac@gmail.com> wrote:
> 
>> > 
> > In this scenario, the "LAN" and the "WAN" are at the same "hostile"
> > level and so both should be treated. Why should you accept
> > incomming ssh traffic from the "hostile lan/wan"? I shouldn't...
> > unless:
> 
> Exactly my point - that personal firewall 'profiles' are less useful
> than they might appear at first blush, since you pretty much need to
> treat all traffic, even 'local' traffic, as dangerous when behind a
> NAT router.
> 

A laptop will not normally be offering services, so a very basic
iptables setup should be adequate everywhere. I have a second profile
which allows only DHCP, DNS and VPN packets out to the LAN, and once a
VPN is established, DNS goes over it anyway and the default gateway
switches to the VPN server.

This is pretty much equivalent to the Windows 'send all traffic via the
remote server' option, and I use it both on foreign LANs and on mobile
Internet if I need to do anything sensitive. If I just want email
access, ssh into my server is enough, using the standard profile.

All the public wi-fi systems I've tried seem to block most protocols, so
neither ssh nor VPN is possible, and I've given up trying them. Maybe
I'm paranoid, but every time I read about some obscure, devious attack
technique that I would never have believed possible, or exploitable
software bug, I get that little bit more paranoid...

I use RADIUS/EAP-TLS at home, but I can see how that might not be
practical in a pub or cafe.

-- 
Joe
Reply to: