| 1 |
On Saturday 27 May 2006 23:46, Jonathan Chocron wrote: |
| 2 |
> Le Samedi 27 Mai 2006 11:40, Dave S a écrit : |
| 3 |
> > Hi all, |
| 4 |
> > |
| 5 |
> > This is a bit OT but I have a netgear router DG834 ADSL firewall router. |
| 6 |
> > I have restricted my incoming services with ... |
| 7 |
> > |
| 8 |
> > Enable Service Name Action LAN Server IP address WAN Users Log |
| 9 |
> > on bit torrent ALLOW always 192.168.0.5 Any Always |
| 10 |
> > Default Yes Any BLOCK always Any Any Never |
| 11 |
> > |
| 12 |
> > And tightened my outgoing services with ... |
| 13 |
> > |
| 14 |
> > Enable Service Name Action LAN Users WAN Servers Log |
| 15 |
> > on HTTP ALLOW always Any Any Always |
| 16 |
> > on HTTPS ALLOW always Any Any Always |
| 17 |
> > on POP ALLOW always Any Any Always |
| 18 |
> > on SMTP ALLOW always Any Any Always |
| 19 |
> > on NTP ALLOW always Any Any Always |
| 20 |
> > on FTP ALLOW always Any Any Always |
| 21 |
> > on rsync ALLOW always Any 0.0.0.0 Never |
| 22 |
> > on GM Port 389 ALLOW always 192.168.0.6 Any Always |
| 23 |
> > on GM Port 1503 ALLOW always 192.168.0.6 Any Always |
| 24 |
> > on GM Port 1731 ALLOW always 192.168.0.6 Any Always |
| 25 |
> > on GM 1024-65K ALLOW always 192.168.0.6 Any Always |
| 26 |
> > on H.323 ALLOW always 192.168.0.6 Any Always |
| 27 |
> > on Port >1023 ALLOW always Any Any Always |
| 28 |
> > on Samba ALLOW always Any 0.0.0.0 Always |
| 29 |
> > on samba2 ALLOW always Any 0.0.0.0 Always |
| 30 |
> > on samba3 ALLOW always Any 0.0.0.0 Always |
| 31 |
> > on Any(ALL) BLOCK always Any Any Always |
| 32 |
> > Default Yes Any ALLOW always Any Any |
| 33 |
> > |
| 34 |
> > Some services like rsync and samba I want to keep within my LAN but my |
| 35 |
> > DG834 insists I give it a least one IP address on the WAN that my service |
| 36 |
> > can be broadcast to. I selected 0.0.0.0 |
| 37 |
> > |
| 38 |
> > Can anyone advise, am I going about this the right way, any comment |
| 39 |
> > greatly appreciated :) |
| 40 |
> > |
| 41 |
> > Cheers |
| 42 |
> > |
| 43 |
> > Dave |
| 44 |
> |
| 45 |
> I am not the best net admin on earth, but it seems to me that 0.0.0.0 is |
| 46 |
> definitely not a broadcast address. If you want to keep things in your lan, |
| 47 |
> you should have something like 192.168.0.255 instead. |
| 48 |
> |
| 49 |
> Moreover, I do not quite understand what you are trying to do. I had |
| 50 |
> approximately the same router (same brand anyway), and it did not block any |
| 51 |
> lan-only services. |
| 52 |
|
| 53 |
Yep, same here. I was trying to lock down my router. By default it allows any |
| 54 |
outgoing packets and only allows incoming packets if they are related to the |
| 55 |
incoming packets. |
| 56 |
|
| 57 |
I was trying to lock down my outgoing packets so services such as Samba would |
| 58 |
not broadcast anything to the WAN. |
| 59 |
|
| 60 |
As such I defaulted outgoing to BLOCK and allowed only certain ports. |
| 61 |
|
| 62 |
However I then needed to allow ports between computers ie for Samba again. |
| 63 |
|
| 64 |
When I opened the port on the LAN between computers my router wanted at least |
| 65 |
one IP address for the WAN. I did not want to give it a real address so |
| 66 |
choose 0.0.0.0 |
| 67 |
|
| 68 |
I was really asking ... |
| 69 |
|
| 70 |
(a) Is it worthwhile setting up my router this way, or am I being paranoid :) |
| 71 |
|
| 72 |
(b) Is 0.0.0.0 and invalid IP address (I though it might be) because that is |
| 73 |
what i was looking for to trick my router to send nothing to the WAN |
| 74 |
|
| 75 |
Cheers |
| 76 |
|
| 77 |
Dave |
| 78 |
|
| 79 |
PS Sorry for the delay, I am an on call engineer and have been away. |
| 80 |
|
| 81 |
|
| 82 |
> What you're telling it is, for example, to block |
| 83 |
> *outgoing* rsync. This should not in any case be blocking an rsync between |
| 84 |
> two machines inside your LAN. |
| 85 |
> |
| 86 |
> I hope this helps, even if i am not quite sure I understand what you're |
| 87 |
> trying to do. |
| 88 |
> |
| 89 |
> -- Jonathan |
| 90 |
|
| 91 |
Apologies for my poor explanation :) |
| 92 |
|
| 93 |
|
| 94 |
|
| 95 |
|
| 96 |
|
| 97 |
-- |
| 98 |
gentoo-user@g.o mailing list |
Archives