Hello Lonnie, Thanks for the quick reply.
The reason I looked up the post from 2009 was because I _have_ ticked the box for the firewall options "LAN to LAN" on the webGUI and this is what's in the gui file: iPBX rc.conf.d # grep ALLOWLANS * gui.firewall.conf:ALLOWLANS="INTIF INT2IF" iPBX rc.conf.d # and just to show that the interfaces are configured: iPBX rc.conf.d # grep INT * gui.firewall.conf:ALLOWLANS="INTIF INT2IF" gui.network.conf:INTIF="eth1" gui.network.conf:INTIP="192.168.7.250" gui.network.conf:INTNM="255.255.255.0" gui.network.conf:INT2IF="eth2" gui.network.conf:INT2IP="192.168.207.249" gui.network.conf:INT2NM="255.255.255.0" gui.network.conf:INT3IF="" gui.network.conf:INT3IP="" gui.network.conf:INT3NM="255.255.255.0" iPBX rc.conf.d # I still don't get traffic from one lan to the other. I have a net4801 ie 3 Ethernet (eth0, eth1, eth2) >From iPBX (192.168.7.250) I can ping hosts on both networks. >From a host on 192.168.7.0 I can ping INTIF (192.168.7.250) and INT2IF >(192.168.207.249) >From a host on 192.168.207.0 I can _only_ ping INT2IF (192.168.207.249) and >not even 192.168.7.250 I'm not so worried about traffic passing 207->7 in fact I'd like to block it. But I need to access resources on the "207" network from the "7" network (printers etc.) Any ideas? I seem to be overlooking something . . . -Graham- PS: What's the difference between TRUSTED_IF and IF_TRUSTS and how do these get set up and used? I have: iPBX rc.conf.d # grep TRUST * user.conf:TRUSTED_IF="" user.conf:IF_TRUSTS="eth1 eth2" iPBX rc.conf.d # and I didn't set (any of) them by hand. PPS/FYI: iPBX rc.conf.d # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.7.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.207.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 eth2 224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 eth1 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 iPBX rc.conf.d # on my Windows PC (in french) Itinéraires actifs : Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique 0.0.0.0 0.0.0.0 192.168.7.250 192.168.7.207 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 169.254.2.0 255.255.255.0 169.254.2.2 169.254.2.2 30 169.254.2.2 255.255.255.255 127.0.0.1 127.0.0.1 30 169.254.255.255 255.255.255.255 169.254.2.2 169.254.2.2 30 192.168.7.0 255.255.255.0 192.168.7.207 192.168.7.207 20 192.168.7.207 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.7.255 255.255.255.255 192.168.7.207 192.168.7.207 20 224.0.0.0 240.0.0.0 169.254.2.2 169.254.2.2 30 224.0.0.0 240.0.0.0 192.168.7.207 192.168.7.207 20 255.255.255.255 255.255.255.255 169.254.2.2 3 1 255.255.255.255 255.255.255.255 169.254.2.2 169.254.2.2 1 255.255.255.255 255.255.255.255 192.168.7.207 192.168.7.207 1 Passerelle par défaut : 192.168.7.250 =========================================================================== Itinéraires persistants : Aucun Lonnie Abelbeck wrote on 07/10/2010 00:22: > Hi Graham, > > You have several options... > > 1) The web interface allows you to specify which LAN interfaces can talk to > each other > > 2) There is a ALLOWLANS AstLinux variable... > > ## Allow LAN to LAN traffic for internal interfaces, defaults to disallow > ## Space separate "INTIF" for 1st, "INT2IF" for 2nd, and "INT3IF" for 3rd > Internal Interface > ## Separate groups using a ~ (tilde) > > #ALLOWLANS="INTIF INT2IF" > #ALLOWLANS="INTIF INT2IF~INTIF INT3IF" # (INTIF <=> INT2IF talk and INTIF <=> > INT3IF talk, but *not* INT2IF <=> INT3IF) > #ALLOWLANS="INTIF INT2IF INT3IF" > > 3) Use the IF_TRUSTS variable directly (which both above use) > > Lonnie > > PS: The INT_IF_TRUST variable went away in the AIF firewall some time ago, > replaced by the more powerful IF_TRUSTS. > > > On Oct 6, 2010, at 5:04 PM, Graham S. Jarvis wrote: > >> Hello, >> >> I'd like to return to this post with a question for 0.7.3 : >> >> I don't find INT_IF_TRUST in firewall.conf >> but I do find the following: >> >> # (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP >> # traffic should be ACCEPTED. (multiple(!) interfaces should be space >> # separated). Be warned that anything TO and FROM these interfaces is >> allowed >> # (ACCEPTED) so make sure it's NOT routable(accessible) from the outside >> world >> # (internet)! And of course putting one of your external interfaces here >> would >> # be extremely stupid. >> # >> ----------------------------------------------------------------------------- >> TRUSTED_IF="" >> >> # (EXPERT SETTING!) Put here the interfaces that should trust >> # each other (accept forward traffic). You can use | (piping-sign) to create >> # seperate interface groups. And (again) of course putting one of your >> external >> # interfaces here would be extremely stupid. >> # >> ----------------------------------------------------------------------------- >> IF_TRUSTS="" >> >> Which one should I use in user.conf ??? >> >> Could someone explain what the difference is between these two variables >> please. >> >> Thanks, >> >> -Graham- >> >> >> Lonnie Abelbeck wrote on 27/03/2009 15:46: >>> Chris, >>> >>> The Firewall tab in the web interface uses an additional level of >>> abstraction for the firewall rules and then automatically generates >>> either Arno 1.8.8 (AstLinux 0.6.x) or Arno 1.9.0 (AstLinux 0.7 and >>> trunk) arno firewall variables. >>> >>> The Firewall tab assumes a default, unedited firewall.conf. The /mnt/ >>> kd/rc.conf.d/gui.firewall.conf contains the variables that overrides >>> the defaults of the stock firewall.conf file. Any firewall setting >>> not covered with the Firewall tab can be added via the Network tab's >>> Advanced - User System Variables button (user.conf). >>> >>> Basically, the firewall.conf file is used to set defaults and >>> documentation for the arno firewall, much like the /stat/etc/rc.conf >>> does for the AstLinux system. >>> >>> I see Darrick has responded... well done. >>> >>> Lonnie >>> >>> >>> On Mar 27, 2009, at 9:12 AM, Chris Abnett wrote: >>> >>>> What is the web interface reading?? I fixed my issue by editing the >>>> /mnt/kd/arno-iptables-firewall/firewall.conf file. >>>> >>>> When I go to the web interface and go to the firewall configuration >>>> it says >>>> there are no rules defined.... please don't tell me I need to start >>>> over - >>>> ive got a lot of rules.. the immediate issue is fixed.. but what is >>>> the >>>> *Right* way to admin my machine so that in furute I don't wipe >>>> things when I >>>> re-compile and upgrade?.. >>>> >>>> I have been used to using both the Gui and editing the Config files >>>> for >>>> Asterisk itself using the asterisk-gui and have seen no ill >>>> effects.... >>>> >>>> But does the alt-web interface first read the configs and then >>>> populate the >>>> web gui or is there a separate database where the gui stores its >>>> info and >>>> then writes out the configs.. >>>> -Christopher >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >>> >> ------------------------------------------------------------------------------ >> Beautiful is writing same markup. Internet Explorer 9 supports >> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >> Spend less time writing and rewriting code and more time creating great >> experiences on the web. Be a part of the beta today. >> http://p.sf.net/sfu/beautyoftheweb >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> > > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today. > http://p.sf.net/sfu/beautyoftheweb > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.