Thanks for the response, Charles.
I did not mean to imply that the list had let an obvious security hole get
propagated - I know my own understanding is limited and probably flawed,
and I probably phrased the post poorly.
Just to confirm my understanding:
In order to allow HTTP access to 192.168.100.1, I do need to comment the
explicit DENY rule, but there should not be a need to add an explicit
ACCEPT rule for 192.168.100.1 allowing HTTP traffic. After disabling the
DENY rule, the cable modem becomes, for all intents and purposes, just
another web site on the web.
Right?
Is there a way, or any reason, to DENY everything *but* 192.168.100.1? A
pointer to TFM to RTFM would be a appreciated!
Thanks again...
Ken
At 09:05 AM 03/13/2002 -0600, Charles Steinkuehler wrote:
> > I have a question regarding ipchain rules that are enabled by default.
> >
> > The FAQ (sourceforge LEAF, sec06) on 'LRP won't route to a private IP
> > Range' states:
> >
> > "As your external NIC address falls in the 192.168.x.x range,
> > comment out that one line
> >
> > # $IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $*
> > save and exit the file."
> >
> > If my understanding is correct, commenting this line allows traffic from
> > *ALL* Class C private networks, which makes me a bit nervous - I mean, I
> > have to assume that the reason the rule is there is because there is a
> > known risk to allowing these networks access!
>
>Commenting the line mentioned does *NOT* allow all 192.168.x.x IP's into
>your system...while everyone can make mistakes, such an obvious security
>hole would not last long with as many sharp eyes as there are on this list.
>
>Remember, packets still have to go through the rest of the rule-chain, and
>you're not allowing the packets when you comment the rule, you're just not
>blindly denying them anymore.
>
>What commenting the above line essentially does, is treat the commented
>private IP range as just another IP on the internet. With the rule
>commented, you're at no higher risk from a private IP than from any other
>random IP on the internet at large...
>
>Charles Steinkuehler
>http://lrp.steinkuehler.net
>http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
>
>_______________________________________________
>Leaf-user mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/leaf-user
==========================================================================
J. Kenneth Gentle (Ken) | Phone: (610)255-0361 FAX:(610)255-0418
Gentle Software, LLC | Email: [EMAIL PROTECTED]
==========================================================================
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
