We have my partner’s sister staying out the back in the flat for a short while, and she wants to have some access to the internet.
We have plans to eventually remove that building, so paying Telstra $300 plus wasting a weekend digging a trench just to ensure she would be responsible for whatever usage for the very short time she plans to be there is nonsensical (the price is nonsensical at any time).
Instead, I think we can manage this using a wireless network that we had setup previously for the flat, and lock it right down so that only allowed traffic is sent over the link.
I haven’t done it yet, only thinking about it.
First, I’d specify a specific IP and set that in my Cisco router to allow access to port 80, 1863 only. No email, Skype, P2P or other hassles.
Then, I’d setup the wireless link using the Linksys WRT54G I have running DD-WRT. It would be a client of the main network, a static IP configured to ensure access-list compliance.
The password for the Linksys router being secured, should ensure that she can’t ever try and circumvent the measure by resetting the router – as it would remove the connection settings thus requiring my Cisco wireless password to get back online.
The Linksys router would then have wireless security applied (a second network at that, as DD-WRT can run as both a wireless client and a wireless AP). The Linksys router would be configured to drop traffic to all hosts with exception of specific hosts (i.e. hostnames ‘facebook.com’ would be allowed).
The other alternative would be for the Cisco router to forward that traffic through my proxy server first and have it filter out any requests for websites that aren’t allowed, but that adds needless delay – configure DNS in the Linksys router to point to itself, and specify a list of IPs and hostnames so that all that it can resolve are those hostnames.
Since only port 80 & port 1863 are allowed at the Cisco side of the network, there won’t be any traffic allowed for DNS (well, there is if they prefer to do web queries for every hostname they look up 😉 – but the specific host names only being allowed would stop that).
No Virus issues, no Spam, no P2P, just simple web browsing and some MSN capabilities. Sounds pretty secure. Theoretically, one could P2P using it, but since the only allowed hosts are specified – that removes that possibility.
My partner wants her to have limited internet access, since I didn’t want the traffic so just said no access at all – this sounds like a good compromise between nothing, and ‘very little’.
One Response to Creating a limited access network.