Lance Robertson wrote: > Thanks for the fast and simple response. I knew it had to be easy. > > Does this fix open me up to people trying to hack in via the cable > modems internal network?
If you allow all the private 192.168 address range through, I would think that you are not as secure as you would be if you didn't. Are you saying that all the users on your cable loop all have 192.168 addresses? <snip> > > Find the part of ipfilter.conf that says > > > > # RFC 1918/1627/1597 blocks > > > > It'll be at about line 220 in a virgin Dachstein setup. A couple of > lines > > below this you'll see the line > > > > $IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $* You could also experiment with adding the particular computers that keep hitting the logs in /etc/network.conf SILENT_DENY="192.168.this.machine _port 192.168.next.macnine_port" My silent deny is like three or four lines long each machine separated by a space. Here is the nice part about SILENT_DENY. It inserts the deny rules without logging at the front end of the filter AHEAD of any general rules. You can still find out how many packets have been denied by a particular rule with weblet under firewall rules. In short you deny specific targets that you don't want to get through or get logged and the other bad boys get logged. You could have the general rule open to all 192.168 traffic and still block specific machines from that network that were showing up in the log. You can edit network.conf or ipfilter.conf and just do a "svi network ipfilter reload" to try out your changes. When you get them the way you want them, then backup etc. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
