On 07/05/2011 09:59, Vic wrote:
>
>> What I want is to keep him isolated
>
> That's always a good plan with relatives :-)
>
> Do you have a server running? That makes life very easy.
> If you want WiFi on that network, set up another WiFi router and connect
> one of its LAN ports to you untrusted interface. Don't connect the ADSL
> connection at all - it will bleat, but that doesn't matter. Make sure you
> turn off the DHCP server on that router if you're already running one on
> your server box.
Yes - I use shorewall cos I am lazy :-)
Its a very easy to use iptables config tool.
With shorewall you define zones and interfaces then rules limiting
traffic between the zones. Masqerade on the internet connection(s) and you are sorted.
If you need an example shorewall config give me a shout :-)
Final suggestions
* configure a seperate bind server with many of the flakey ad/spam/infection servers mastered.
(for instance .ru is mastered here)
* provide your dads machine with a fixed IP via dhcpd
map his mac address to a fixed IP.
* ensure dhcpd tells dads box to use the above DNS server!
* block outbound smtp from the untrusted network
* add quotas/rate limits to the untrusted network
Jacqui
