Le Dimanche 28 Mai 2006 16:53, Dave S a écrit : > Yep, same here. I was trying to lock down my router. By default it allows > any outgoing packets and only allows incoming packets if they are related > to the incoming packets. > > I was trying to lock down my outgoing packets so services such as Samba > would not broadcast anything to the WAN. > > As such I defaulted outgoing to BLOCK and allowed only certain ports. > > However I then needed to allow ports between computers ie for Samba again. > > When I opened the port on the LAN between computers my router wanted at > least one IP address for the WAN. I did not want to give it a real address > so choose 0.0.0.0 > > I was really asking ... > > (a) Is it worthwhile setting up my router this way, or am I being paranoid > :)
I do not think it wise to setup your router that way. Here's a little of theory. I apologize if you're familiar with it, but it is necessary for latter development. When in a LAN, a packet will not reach the WAN unless you specify you want it to, that includes broadcasts. An element of an IP address is a number between 0 and 254. 255 is used only for broadcasting. Moreover, rsync and samba, and most daemons take as a paramater the address or address range they can accept connections from. An incoming connection from the WAN, could not connect to the daemon even if it wanted to. > (b) Is 0.0.0.0 and invalid IP address (I though it might be) because that > is what i was looking for to trick my router to send nothing to the WAN An IP address is meaningful only in conjunction with a mask. 0.0.0.0 with mask 255.255.255.255 means broadcast to every single IP address that exists. Since the mask indicates between which boundaries the IP number can vary (in this case every IP address item can vary between 0 and 254). As a conclusion, this is definitely not what you want to do ! ;-) So, taking as a hypothesis that you trust everyone on your LAN, here's what you should do : - Et the policy for incomiong connections to BLOCK. - Unblock the services you actually need the net to access. Plus, in the config file of the daemon, specify it should listen to 0.0.0.0 - Allow traffic from your LAN to the WAN (again, if you trust everyone). And set up each daemon to only listen to 192.168.0.1/24 (which means only addresses that begin with 192.168.0). - Set up daemons to broadcast on 192.168.0.255 I hope this was clear, I have hardly slept last night ! -- Jonathan PS : No need to apologize for the delay, I know even gentooists have lives ;) -- [email protected] mailing list
