My wireless at home is semi-secured with 128 bit WEP, although the SSID is broadcast. I’m not fooling myself that it’s foolproof, just that it’s good enough to make most people do down the road to find easier pickings at some open node named ‘Linksys’. But recently I’ve “relied on the kindness of strangers” using people’s nodes that they’ve either left open through stupidity (like my sister-in-law’s neighbours with the ‘Linksys’ ssid and the default login to the Linksys administration page) or open through an intent to share their resources (like Steven Cherry). So I’m starting to wonder if I shouldn’t be returning the karma and have an open node myself.
But I’m worried about the implications of that. The first worry is that somebody could use my node to send out spam. I have enough trouble with my mail server being blocked by various RBLs that I don’t want to get on any more – I recently had problems because I was sending a lot of mail out through a friend’s relay, and he got listed in an RBL that I use myself, which caused all sorts of problems. But in actual fact, that’s pretty unlikely unless it was one of my neighbours.
The second worry is that by having strangers on my internal network, they’d get access to things that I probably don’t want them to have access to, like the nfs export of my /mp3s directory. I don’t want the hassle of having to harden some of the services I’ve currently got open to the 192.168.1.0/24 subnet. And the related worry that they could snoop things like imap or pop between graphic email clients and the mail server. Personally, I ssh into the server and use mutt, but Vicki sometimes uses Mail.app and I think Laura uses Mail.app almost exclusively. I don’t know if Mail.app supports any sort of encrypted link, or if I could figure out how to support it on my Linux box. Not sure I’d want to.
So I’m wondering if what I need isn’t a configuration with two subnets, one open node for strangers to connect where they can reach the outside world but not my Linux box, and one secure node that once you’re in, you’ve got full access to the goodies? Maybe the open node should block outgoing connection to port 25 except for my ISP’s mail relay or something like that? The problem with that is that my current router/WAP isn’t capable enough to do that sort of filtering, and while I have a better router/WAP (a Linksys WRT54G) on order, I would prefer to use that for me, not for strangers.
Anybody have any suggestions?
I think I’d set up the internal clients to use IPSec or OpenVPN, and only have the more interesting services open via that. If a client doesn’t do IPSec, I’d only give him http/s-access through a (transparent) proxy and nothing else: it’s enough if you’re abroad and in a hurry, but the damage one can do is at least somewhat limited.
Mail.app supports imaps (encrypted imap) and works fine for me with dovecot as an IMAP server.
Courier providing IMAP/SSL on port 993 (works well with mutt, Thunderbird, Outhouse, Mail.App, and Eudora); qmail patched with an SMTP AUTH feature that demands a username and password for non-localnet IPs, works with the same clients above.