1 |
On Saturday 27 May 2006 23:46, Jonathan Chocron wrote: |
2 |
> Le Samedi 27 Mai 2006 11:40, Dave S a écrit : |
3 |
> > Hi all, |
4 |
> > |
5 |
> > This is a bit OT but I have a netgear router DG834 ADSL firewall router. |
6 |
> > I have restricted my incoming services with ... |
7 |
> > |
8 |
> > Enable Service Name Action LAN Server IP address WAN Users Log |
9 |
> > on bit torrent ALLOW always 192.168.0.5 Any Always |
10 |
> > Default Yes Any BLOCK always Any Any Never |
11 |
> > |
12 |
> > And tightened my outgoing services with ... |
13 |
> > |
14 |
> > Enable Service Name Action LAN Users WAN Servers Log |
15 |
> > on HTTP ALLOW always Any Any Always |
16 |
> > on HTTPS ALLOW always Any Any Always |
17 |
> > on POP ALLOW always Any Any Always |
18 |
> > on SMTP ALLOW always Any Any Always |
19 |
> > on NTP ALLOW always Any Any Always |
20 |
> > on FTP ALLOW always Any Any Always |
21 |
> > on rsync ALLOW always Any 0.0.0.0 Never |
22 |
> > on GM Port 389 ALLOW always 192.168.0.6 Any Always |
23 |
> > on GM Port 1503 ALLOW always 192.168.0.6 Any Always |
24 |
> > on GM Port 1731 ALLOW always 192.168.0.6 Any Always |
25 |
> > on GM 1024-65K ALLOW always 192.168.0.6 Any Always |
26 |
> > on H.323 ALLOW always 192.168.0.6 Any Always |
27 |
> > on Port >1023 ALLOW always Any Any Always |
28 |
> > on Samba ALLOW always Any 0.0.0.0 Always |
29 |
> > on samba2 ALLOW always Any 0.0.0.0 Always |
30 |
> > on samba3 ALLOW always Any 0.0.0.0 Always |
31 |
> > on Any(ALL) BLOCK always Any Any Always |
32 |
> > Default Yes Any ALLOW always Any Any |
33 |
> > |
34 |
> > Some services like rsync and samba I want to keep within my LAN but my |
35 |
> > DG834 insists I give it a least one IP address on the WAN that my service |
36 |
> > can be broadcast to. I selected 0.0.0.0 |
37 |
> > |
38 |
> > Can anyone advise, am I going about this the right way, any comment |
39 |
> > greatly appreciated :) |
40 |
> > |
41 |
> > Cheers |
42 |
> > |
43 |
> > Dave |
44 |
> |
45 |
> I am not the best net admin on earth, but it seems to me that 0.0.0.0 is |
46 |
> definitely not a broadcast address. If you want to keep things in your lan, |
47 |
> you should have something like 192.168.0.255 instead. |
48 |
> |
49 |
> Moreover, I do not quite understand what you are trying to do. I had |
50 |
> approximately the same router (same brand anyway), and it did not block any |
51 |
> lan-only services. |
52 |
|
53 |
Yep, same here. I was trying to lock down my router. By default it allows any |
54 |
outgoing packets and only allows incoming packets if they are related to the |
55 |
incoming packets. |
56 |
|
57 |
I was trying to lock down my outgoing packets so services such as Samba would |
58 |
not broadcast anything to the WAN. |
59 |
|
60 |
As such I defaulted outgoing to BLOCK and allowed only certain ports. |
61 |
|
62 |
However I then needed to allow ports between computers ie for Samba again. |
63 |
|
64 |
When I opened the port on the LAN between computers my router wanted at least |
65 |
one IP address for the WAN. I did not want to give it a real address so |
66 |
choose 0.0.0.0 |
67 |
|
68 |
I was really asking ... |
69 |
|
70 |
(a) Is it worthwhile setting up my router this way, or am I being paranoid :) |
71 |
|
72 |
(b) Is 0.0.0.0 and invalid IP address (I though it might be) because that is |
73 |
what i was looking for to trick my router to send nothing to the WAN |
74 |
|
75 |
Cheers |
76 |
|
77 |
Dave |
78 |
|
79 |
PS Sorry for the delay, I am an on call engineer and have been away. |
80 |
|
81 |
|
82 |
> What you're telling it is, for example, to block |
83 |
> *outgoing* rsync. This should not in any case be blocking an rsync between |
84 |
> two machines inside your LAN. |
85 |
> |
86 |
> I hope this helps, even if i am not quite sure I understand what you're |
87 |
> trying to do. |
88 |
> |
89 |
> -- Jonathan |
90 |
|
91 |
Apologies for my poor explanation :) |
92 |
|
93 |
|
94 |
|
95 |
|
96 |
|
97 |
-- |
98 |
gentoo-user@g.o mailing list |