> I have a question regarding ipchain rules that are enabled by default. > > The FAQ (sourceforge LEAF, sec06) on 'LRP won't route to a private IP > Range' states: > > "As your external NIC address falls in the 192.168.x.x range, > comment out that one line > > # $IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $* > save and exit the file." > > If my understanding is correct, commenting this line allows traffic from > *ALL* Class C private networks, which makes me a bit nervous - I mean, I > have to assume that the reason the rule is there is because there is a > known risk to allowing these networks access!
Commenting the line mentioned does *NOT* allow all 192.168.x.x IP's into your system...while everyone can make mistakes, such an obvious security hole would not last long with as many sharp eyes as there are on this list. Remember, packets still have to go through the rest of the rule-chain, and you're not allowing the packets when you comment the rule, you're just not blindly denying them anymore. What commenting the above line essentially does, is treat the commented private IP range as just another IP on the internet. With the rule commented, you're at no higher risk from a private IP than from any other random IP on the internet at large... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
