Eyal:
Heya. The problem adding some ACCEPT rules to allow
one address to work, though, is that these rules must be
inserted into the ipchains input chain *before* the rule
which DENY's the whole range. Else the packet will be dropped
before it gets to the forward chain.
Me, I'm not prejudiced against the RFC-1918 ranges
anymore. It used to be that any traffic coming from them could
be considered suspicious. Now all traffic is suspicious. :)
-Scott
> > > Heya. Yes, the 10.x.y.z private IP address range is blocked
> > > by the default firewall script that comes with Dachstein. You may
> > > want to try "echowall.lrp" which I built for Dachstein which doesn't
> > > do this. I had the same trouble with the standard Dachstein ruleset,
> > > and before long I had so many customizations to it, it became its
> > > own package. :)
> > >
> > > If you want to keep using the default Dachstein firewall
> > > for whatever reason, I believe the changes you need to make are in
> > > the network.conf file. Should be easy to find in there...
> >
> > I had to get past that once... What I did (if memory, and old comments
> > serve) was in ipfilter.conf:
> >
> > ~line 208:
> > $IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $*
> >
> > ~line 420:
> > $IPCH -A input -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
> >
> > ~line 502:
> > $IPCH -A output -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
> >
> > comment out those lines, and the rules don't get made...
>
> Are you trying to connect to the modem itself (the web server on
> it)? This was my need with my ADSL modem.
>
> If so then I prefered to not open the whole range, but instead
> open just the one IP where the modem http server sits. I chenged
> the end of my /etc/ipfilter.conf by adding the following last
> section. The Alcatel SpeedTouch Home uses the 10.0.0.138 address,
> find out what yours uses.
>
> I am on an old LRP using 2.2.16, but the same idea should apply to
> the later configurations.
>
> =========================================
> ADSL_SERVER_IP="10.0.0.138"
> for NET in $INTERN_NET ; do
> $IPCH -I forward 1 -j MASQ -p tcp \
> -s $NET -d $ADSL_SERVER_IP www -i eth0
> done
> }
>
> << EOF >>
> =========================================
>
> --
> Eyal Lebedinsky ([EMAIL PROTECTED]) <http://samba.org/eyal/>
-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing
real-time communications platform! Don't just IM. Build it in!
http://www.jabber.com/osdn/xim
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
