On Saturday 27 May 2006 23:46, Jonathan Chocron wrote: > Le Samedi 27 Mai 2006 11:40, Dave S a écrit : > > Hi all, > > > > This is a bit OT but I have a netgear router DG834 ADSL firewall router. > > I have restricted my incoming services with ... > > > > Enable Service Name Action LAN Server IP address WAN Users Log > > on bit torrent ALLOW always 192.168.0.5 Any Always > > Default Yes Any BLOCK always Any Any Never > > > > And tightened my outgoing services with ... > > > > Enable Service Name Action LAN Users WAN Servers Log > > on HTTP ALLOW always Any Any Always > > on HTTPS ALLOW always Any Any Always > > on POP ALLOW always Any Any Always > > on SMTP ALLOW always Any Any Always > > on NTP ALLOW always Any Any Always > > on FTP ALLOW always Any Any Always > > on rsync ALLOW always Any 0.0.0.0 Never > > on GM Port 389 ALLOW always 192.168.0.6 Any Always > > on GM Port 1503 ALLOW always 192.168.0.6 Any Always > > on GM Port 1731 ALLOW always 192.168.0.6 Any Always > > on GM 1024-65K ALLOW always 192.168.0.6 Any Always > > on H.323 ALLOW always 192.168.0.6 Any Always > > on Port >1023 ALLOW always Any Any Always > > on Samba ALLOW always Any 0.0.0.0 Always > > on samba2 ALLOW always Any 0.0.0.0 Always > > on samba3 ALLOW always Any 0.0.0.0 Always > > on Any(ALL) BLOCK always Any Any Always > > Default Yes Any ALLOW always Any Any > > > > Some services like rsync and samba I want to keep within my LAN but my > > DG834 insists I give it a least one IP address on the WAN that my service > > can be broadcast to. I selected 0.0.0.0 > > > > Can anyone advise, am I going about this the right way, any comment > > greatly appreciated :) > > > > Cheers > > > > Dave > > I am not the best net admin on earth, but it seems to me that 0.0.0.0 is > definitely not a broadcast address. If you want to keep things in your lan, > you should have something like 192.168.0.255 instead. > > Moreover, I do not quite understand what you are trying to do. I had > approximately the same router (same brand anyway), and it did not block any > lan-only services.
Yep, same here. I was trying to lock down my router. By default it allows any outgoing packets and only allows incoming packets if they are related to the incoming packets. I was trying to lock down my outgoing packets so services such as Samba would not broadcast anything to the WAN. As such I defaulted outgoing to BLOCK and allowed only certain ports. However I then needed to allow ports between computers ie for Samba again. When I opened the port on the LAN between computers my router wanted at least one IP address for the WAN. I did not want to give it a real address so choose 0.0.0.0 I was really asking ... (a) Is it worthwhile setting up my router this way, or am I being paranoid :) (b) Is 0.0.0.0 and invalid IP address (I though it might be) because that is what i was looking for to trick my router to send nothing to the WAN Cheers Dave PS Sorry for the delay, I am an on call engineer and have been away. > What you're telling it is, for example, to block > *outgoing* rsync. This should not in any case be blocking an rsync between > two machines inside your LAN. > > I hope this helps, even if i am not quite sure I understand what you're > trying to do. > > -- Jonathan Apologies for my poor explanation :) -- gentoo-user@gentoo.org mailing list
