Re: [leaf-user] 10.10.x.x network blocked by default?

2002-07-16 Thread Eyal Lebedinsky 

"Scott C. Best" wrote:
> 
> Eyal:
> Heya. The problem adding some ACCEPT rules to allow
> one address to work, though, is that these rules must be
> inserted into the ipchains input chain *before* the rule
> which DENY's the whole range. Else the packet will be dropped
> before it gets to the forward chain.

[trimmed] 
> Eyal wrote:
> > If so then I prefered to not open the whole range, but instead
> > open just the one IP where the modem http server sits. I chenged
> > the end of my /etc/ipfilter.conf by adding the following last
> > section. The Alcatel SpeedTouch Home uses the 10.0.0.138 address,
> > find out what yours uses.

Note the "1" below which means "insert at top":

> > $IPCH -I forward 1 -j MASQ -p tcp \
> > -s $NET -d $ADSL_SERVER_IP www -i eth0

--
Eyal Lebedinsky ([EMAIL PROTECTED]) 


---
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] 10.10.x.x network blocked by default?

2002-07-15 Thread Scott C. Best 

Eyal:
Heya. The problem adding some ACCEPT rules to allow
one address to work, though, is that these rules must be
inserted into the ipchains input chain *before* the rule
which DENY's the whole range. Else the packet will be dropped
before it gets to the forward chain.

Me, I'm not prejudiced against the RFC-1918 ranges
anymore. It used to be that any traffic coming from them could
be considered suspicious. Now all traffic is suspicious. :)

-Scott

> > >   Heya. Yes, the 10.x.y.z private IP address range is blocked
> > > by the default firewall script that comes with Dachstein. You may
> > > want to try "echowall.lrp" which I built for Dachstein which doesn't
> > > do this. I had the same trouble with the standard Dachstein ruleset,
> > > and before long I had so many customizations to it, it became its
> > > own package. :)
> > >
> > >   If you want to keep using the default Dachstein firewall
> > > for whatever reason, I believe the changes you need to make are in
> > > the network.conf file. Should be easy to find in there...
> >
> > I had to get past that once... What I did (if memory, and old comments
> > serve) was in ipfilter.conf:
> >
> > ~line 208:
> > $IPCH -A $LIST -j DENY -p all  -s 10.0.0.0/8 -d 0/0 -l $*
> >
> > ~line 420:
> > $IPCH -A input -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
> >
> > ~line 502:
> > $IPCH -A output -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
> >
> > comment out those lines, and the rules don't get made...
>
> Are you trying to connect to the modem itself (the web server on
> it)? This was my need with my ADSL modem.
>
> If so then I prefered to not open the whole range, but instead
> open just the one IP where the modem http server sits. I chenged
> the end of my /etc/ipfilter.conf by adding the following last
> section. The Alcatel SpeedTouch Home uses the 10.0.0.138 address,
> find out what yours uses.
>
> I am on an old LRP using 2.2.16, but the same idea should apply to
> the later configurations.
>
> =
> ADSL_SERVER_IP="10.0.0.138"
> for NET in $INTERN_NET ; do
> $IPCH -I forward 1 -j MASQ -p tcp \
> -s $NET -d $ADSL_SERVER_IP www -i eth0
> done
> }
>
> << EOF >>
> =
>
> --
> Eyal Lebedinsky ([EMAIL PROTECTED]) 





---
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] 10.10.x.x network blocked by default?

2002-07-15 Thread Eyal Lebedinsky 

Jon Clausen wrote:
> 
> On Mon, Jul 15, 2002 at 07:15:24PM +, Scott C. Best wrote:
> > Tony:
> >   Heya. Yes, the 10.x.y.z private IP address range is blocked
> > by the default firewall script that comes with Dachstein. You may
> > want to try "echowall.lrp" which I built for Dachstein which doesn't
> > do this. I had the same trouble with the standard Dachstein ruleset,
> > and before long I had so many customizations to it, it became its
> > own package. :)
> >
> >   If you want to keep using the default Dachstein firewall
> > for whatever reason, I believe the changes you need to make are in
> > the network.conf file. Should be easy to find in there...
> 
> I had to get past that once... What I did (if memory, and old comments
> serve) was in ipfilter.conf:
> 
> ~line 208:
> $IPCH -A $LIST -j DENY -p all  -s 10.0.0.0/8 -d 0/0 -l $*
> 
> ~line 420:
> $IPCH -A input -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
> 
> ~line 502:
> $IPCH -A output -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
> 
> comment out those lines, and the rules don't get made...

Are you trying to connect to the modem itself (the web server on
it)? This was my need with my ADSL modem.

If so then I prefered to not open the whole range, but instead
open just the one IP where the modem http server sits. I chenged
the end of my /etc/ipfilter.conf by adding the following last
section. The Alcatel SpeedTouch Home uses the 10.0.0.138 address,
find out what yours uses.

I am on an old LRP using 2.2.16, but the same idea should apply to
the later configurations.

=
ADSL_SERVER_IP="10.0.0.138"   
for NET in $INTERN_NET ; do
$IPCH -I forward 1 -j MASQ -p tcp \   
-s $NET -d $ADSL_SERVER_IP www -i eth0
done
}

<< EOF >>
=

--
Eyal Lebedinsky ([EMAIL PROTECTED]) 


---
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] 10.10.x.x network blocked by default?

2002-07-15 Thread Jon Clausen 

On Mon, Jul 15, 2002 at 07:15:24PM +, Scott C. Best wrote:
> Tony:
>   Heya. Yes, the 10.x.y.z private IP address range is blocked
> by the default firewall script that comes with Dachstein. You may
> want to try "echowall.lrp" which I built for Dachstein which doesn't
> do this. I had the same trouble with the standard Dachstein ruleset,
> and before long I had so many customizations to it, it became its
> own package. :)
> 
>   If you want to keep using the default Dachstein firewall
> for whatever reason, I believe the changes you need to make are in
> the network.conf file. Should be easy to find in there...

I had to get past that once... What I did (if memory, and old comments
serve) was in ipfilter.conf:

~line 208:
$IPCH -A $LIST -j DENY -p all  -s 10.0.0.0/8 -d 0/0 -l $*

~line 420:
$IPCH -A input -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF

~line 502:
$IPCH -A output -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF

comment out those lines, and the rules don't get made... 

I had a nasty time finding them, but it worked...

HTH
Jon Clausen


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] 10.10.x.x network blocked by default?

2002-07-15 Thread Scott C. Best 

Tony:
Heya. Yes, the 10.x.y.z private IP address range is blocked
by the default firewall script that comes with Dachstein. You may
want to try "echowall.lrp" which I built for Dachstein which doesn't
do this. I had the same trouble with the standard Dachstein ruleset,
and before long I had so many customizations to it, it became its
own package. :)

If you want to keep using the default Dachstein firewall
for whatever reason, I believe the changes you need to make are in
the network.conf file. Should be easy to find in there...


-Scott

>   I am attempting to set up a Dachstein router to connect to a
> DSL modem. The IP is in the 10.10.x.x range. I think that this may be the
> reason that I can't get it to work. Is the 10.10.x.x network blocked by
> default as a reserved network? Where do I go to stop this from being blocked
> in Dachstein?
>
>
>   Thanks in advance.
>
>   Troy.




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html