Re: [Firestarter-user] Non-routable addresses
Brought to you by:
majix
Menu
▾
▴
Re: [Firestarter-user] Non-routable addresses
|
From: Tomas J. <ma...@sc...> - 2004-04-24 13:20:13
|
Peter Harvey wrote: > Hello, > > I'm a newbie to the world of firewall filters, and so wanted to use a > nice tool like firestarter on my laptop while at university. > Unfortunately, when at home, the "non-routable address" restrictions > mean I can't talk to computers on my LAN (192.168.0.). So, I modified > netfilter-script.c in version 0.92 so that the generated firewall.sh now > looks like this: > > #Block nonroutable IPs, netblock list v2.0 2003-04-08 > $IPT -N NR 2> /dev/null > $IPT -F NR > $IPT -t filter -A NR -s 0.0.0.0/8 -d $NET -i $IF -j $STOP > $IPT -t filter -A NR -s 1.0.0.0/8 -d $NET -i $IF -j $STOP > < skipping 94 lines for brevity > > $IPT -t filter -A NR -s 223.0.0.0/8 -d $NET -i $IF -j $STOP > $IPT -t filter -A NR -s 224.0.0.0/3 -d $NET -i $IF -j $STOP > $IPT -t filter -A INPUT -s ! $NET -i $IF -j NR > > The new firewall.sh creates a chain called NR (for Non-Routable) > containing all the tests for non-routable addresses, and only tests > packets against that chain if they did *not* originate from the local > network. Logically this makes sense - we should ignore non-routable > addresses iff we would have to communicate with a router. > > Maybe my problem is already fixed in the CVS version - I haven't used > the CVS version, or even compiled the CVS version. Regardless, I have > attached a patch for the CVS version of netfilter-script.c to use the > above solution. Hope it can help. I was just discussing this problem with another person not 15 minutes ago :) Your solution look ok to me. Thanks for the patch, I've added it to CVS. I also created some new packages for testing: http://firestarter.sourceforge.net/beta/0.9.3/ Regards, Tomas |
