[Leaplist] an ipcop question

John Simpson jms1 at jms1.net
Thu Dec 11 11:27:11 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2008-12-11, at 0723, Hank Lambert wrote:
>
> It's my understanding that if you are inside the firewall, i.e. on the
> green, you should be able to ping the other three interfaces. However,
> if you are on the red you should not be able to ping any of the
> interfaces. I'm not sure how the blue or orange would react as I  
> haven't
> used them.

the rules are a bit strange until you get used to them.

in a red/green situation, things work as you would expect. nothing can  
come "into" the green segment without an explicit rule allowing the  
traffic. however, outbound traffic is free to go as it likes.

the orange segment... i've found it easiest to think of it like  
another green segment. you can set firewall rules which only apply to  
"red-to-orange" traffic, so you can allow the world to reach your  
server(s) in the orange segment, but not in the green segment.  
however, green cannot blithely walk through the firewall into the  
orange segment- you also need to set up "green-to-orange" rules, and  
if for some reason there's a machine in the orange segment which needs  
to access green, you need to set up a separate rule for that.

the blue segment is like another green segment, with the added  
abilities to do MAC filtering (if i'm not mistaken, i've never  
actually done it.) it's really designed to have a wireless ACCESS  
POINT attached to it, not a wireless ROUTER (or "ritter", to use  
bryan's terminology, because he's right- the units are normally only  
barely functional as routers, they're designed for simple NAT use and  
that's it.)


> Did you ever get an answer on how to set up the blue interface? I'm
> getting ready to set up another IPCop box (my last one died) and I  
> want
> to set up the blue interface correctly. In my last setup, I had a WAP
> hanging off of a switch, not the IPCop blue interface.

if you have an access point, or if you're buying new hardware anyway,  
make sure you get an actual access point instead of a "wireless router".


- --------------------------------------------------------
| John M. Simpson  --  KG4ZOW  --  Programmer At Large |
| http://www.jms1.net/                 <jms1 at jms1.net> |
- --------------------------------------------------------
|   Hope for America  --  http://www.ronpaul2008.com/  |
- --------------------------------------------------------





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAklBP18ACgkQj42MmpAUrRrEhgCfQJwEOSpM1Yl8+e0PWjPSK7HE
lzEAoIvGf6J1i75EbJUKcG+PV2JUx9cF
=oIDV
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list