Charles,
Thank you for your very prompt reply. I implemented both changes you
suggested as well as one of my own--commenting out the following line in
/etc/ipfilter.conf (it looked like it would be necessary):
$IPCH -A $LIST -j DENY -p all -s 192.0.0.0/24 -d 0/0 -l $*
However, I'm still unable to connect to the cable modem. The log shows
this kind of error:
Apr 15 09:33:46 firewall kernel: Packet log: input DENY eth0 PROTO=6
192.168.100.1:80 12.237.249.125:61007 L=40 S=0x00 I=96 F=0x0000 T=30 (#17)
Line #17 in the firewall rules for the input chain (I'm guessing that's
what the #17 above means):
pkts bytes target prot opt tosa
tosx ifname mark outsize source destination
ports
14 560 DENY all ----l- 0xFF
0x00 eth0 192.168.100.0/24 0.0.0.0/0
n/a
It looks as if the eth0_IP_EXTRA_ADDRS line has created a DENY rule. This
appears to be the opposite of what is needed. Any thoughts on this?
Best regards,
Galen Kannarr
At 09:33 AM 4/15/02, Charles Steinkuehler wrote:
> > I've got a Dachstein (1.02, I think) router in its default
> configuration
> > (except for enabling ipSec VPN masquerading). I would like to access
> the
> > cable modem's http status page, which is hard wired at address
> > 192.168.100.1. What do I need to modify to make this possible from
> within
> > my private 192.168.1.x network? I'm guessing that I need to 1) add a
> > route using the ip command and 2) add an ipchains rule that will allow
> > access. Unfortunately, I'm not literate enough with either to conjure
> up
> > the syntax myself.
> >
> > The cable modem is on eth0, which gets its ip address via the Dachstein
> > dhcp client. My private network is on eth1, with the default Dachstein
> > address of 192.168.1.254.
>
>Adding the network configuration is easy...simply add an alias to your
>external interface:
>
>eth0_IP_EXTRA_ADDRS="192.168.100.2/24"
>
>To allow access to the 192.161.x.x private IP range on the external side
>of
>your firewall, you need to modify the firewall setup scripts, or all
>packets
>to the IP of your cable modem will be dropped. Do this by commenting the
>following line in the stopMartians procedure of /etc/ipfilter.conf :
>
>$IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $*
>
>NOTE: This will *NOT* allow any arbitrary packets from the 192.168
>private
>IP space through your firewall. It simply moves the 192.168.x.x IP space
>into the group of "generic internet IP's", rather than denying all packets
>to/from this IP range. The packets still have to go through the firewall
>rules, just like any other random IP from the internet at large...
>
>Charles Steinkuehler
>http://lrp.steinkuehler.net
>http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
--
Galen Kannarr
mailto:[EMAIL PROTECTED]
home: 972-238-5705
office: 972-344-6366 <=== NOTE: new as of 12/27/2001
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
