On Monday 29 May 2006 11:14, Jonathan Chocron wrote: > Le Dimanche 28 Mai 2006 16:53, Dave S a écrit : > > Yep, same here. I was trying to lock down my router. By default it allows > > any outgoing packets and only allows incoming packets if they are related > > to the incoming packets. > > > > I was trying to lock down my outgoing packets so services such as Samba > > would not broadcast anything to the WAN. > > > > As such I defaulted outgoing to BLOCK and allowed only certain ports. > > > > However I then needed to allow ports between computers ie for Samba > > again. > > > > When I opened the port on the LAN between computers my router wanted at > > least one IP address for the WAN. I did not want to give it a real > > address so choose 0.0.0.0 > > > > I was really asking ... > > > > (a) Is it worthwhile setting up my router this way, or am I being > > paranoid > > > > :) > > I do not think it wise to setup your router that way. Here's a little of > theory. I apologize if you're familiar with it, but it is necessary for > latter development. > > When in a LAN, a packet will not reach the WAN unless you specify you want > it to, that includes broadcasts. > > An element of an IP address is a number between 0 and 254. 255 is used only > for broadcasting. > > Moreover, rsync and samba, and most daemons take as a paramater the address > or address range they can accept connections from. An incoming connection > from the WAN, could not connect to the daemon even if it wanted to.
With you so far :) > > > (b) Is 0.0.0.0 and invalid IP address (I though it might be) because that > > is what i was looking for to trick my router to send nothing to the WAN > > An IP address is meaningful only in conjunction with a mask. 0.0.0.0 with > mask 255.255.255.255 means broadcast to every single IP address that > exists. Since the mask indicates between which boundaries the IP number can > vary (in this case every IP address item can vary between 0 and 254). > > As a conclusion, this is definitely not what you want to do ! ;-) Gulp :( > > So, taking as a hypothesis that you trust everyone on your LAN, here's what > you should do : > - Et the policy for incomiong connections to BLOCK. > - Unblock the services you actually need the net to access. Plus, in the > config file of the daemon, specify it should listen to 0.0.0.0 > - Allow traffic from your LAN to the WAN (again, if you trust everyone). > And set up each daemon to only listen to 192.168.0.1/24 (which means only > addresses that begin with 192.168.0). > - Set up daemons to broadcast on 192.168.0.255 > > I hope this was clear, I have hardly slept last night ! > That helps a lot, thank you for taking the time to explain. I will have a google so I understand netmasks & IPs a bit more :( > -- Jonathan > > PS : No need to apologize for the delay, I know even gentooists have lives > ;) Wish I was 247 Linux - have to pay the mortgage though ! Thanks once again Dave -- [email protected] mailing list
