Re: [Leaf-user] Dachstein--how to access cable modem web page

Mon, 15 Apr 2002 10:03:41 -0700 

> Thank you for your very prompt reply.  I implemented both changes you
> suggested as well as one of my own--commenting out the following line in
> /etc/ipfilter.conf (it looked like it would be necessary):
>
> $IPCH -A $LIST -j DENY -p all  -s 192.0.0.0/24 -d 0/0 -l $*
>
> However, I'm still unable to connect to the cable modem.  The log shows
> this kind of error:
>
> Apr 15 09:33:46 firewall kernel: Packet log: input DENY eth0 PROTO=6
> 192.168.100.1:80 12.237.249.125:61007 L=40 S=0x00 I=96 F=0x0000 T=30 (#17)
>
> Line #17 in the firewall rules for the input chain (I'm guessing that's
> what the #17 above means):
>
>   pkts bytes target     prot opt    tosa
> tosx  ifname     mark       outsize  source                destination
>       ports
>     14   560 DENY       all  ----l- 0xFF
> 0x00  eth0                           192.168.100.0/24     0.0.0.0/0
>      n/a
>
> It looks as if the eth0_IP_EXTRA_ADDRS line has created a DENY rule.  This
> appears to be the opposite of what is needed.  Any thoughts on this?

Yeah, sorry about that...I'm a bit fuzzy today (actually taking a sick day
from work, and am a bit loopy from some anti-histamines I'm taking today).

Anyway, this is a bug in the extra IP code...find the following chunk of
code in /etc/ipfilter.conf (it's towards the bottom):

if [ "$EXTERN_DYNADDR" = "YES" -o "$EXTERN_DYNADDR" = "Yes" \
        -o "$EXTERN_DYNADDR" = "yes" ]; then
         # Spoof protection
        if_setproc $EXTERN_IF rp_filter YES
        # Kernel logging of martians on this interface
        if_setproc $EXTERN_IF log_martians YES
        local EX_IP=0/0
else
        $IPCH -A input -j DENY -p all -s $EXTERN_IP -d 0/0 -i $EXTERN_IF -l
        eval local ADDRS=\${"$EXTERN_IF"_IP_EXTRA_ADDRS:-""}
        for ADDR in $ADDRS; do
                $IPCH -A input -j DENY -p all -s $ADDR -d 0/0 \
                        -i $EXTERN_IF -l
        done; unset ADDR ADDRS
        local EX_IP=0/0
fi


Change the $ADDR variable in the for loop to ${ADDR%%[_/]*}so the loop looks
like:
        for ADDR in $ADDRS; do
                $IPCH -A input -j DENY -p all -s ${ADDR%%[_/]*} -d 0/0 \
                        -i $EXTERN_IF -l
        done; unset ADDR ADDRS

This will strip off the trailing CIDR netmask, causing the filter to block
inbound packets with a source of your external IP (desired), and not the
entire 192.168.100.0/24 net (undesired current behavior).

NOTE:  The additional line you commented (192.0.0.0/24 network) is not
causing you trouble...you should probably leave it uncommented.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to