|
Setting up an "advanced" rule in gufw
I am trying to follow the example in the "Ubuntu Community Documentation" https://help.ubuntu.com/community/Gu...er%20Resources to setup a rule to allow ssh access to a Ubuntu 10.04 machine for any address between 192.168.0.100 and 192.168.0.150. According to the documentation I would enter
Quote:
If I enter the address of my source machine 192.168.0.112 into From with no port number and enter the target machine in To and 22 as the port I can connect. I can also leave off the To address and it also works - I guess it defaults to the machine running gufw. So my first question is: How can I specify a range of allowed incoming IP addresses for port 22? And my second question - Who does one contact to point out errors in "Ubuntu Community Documentation"? TIA, Ken |
Well I answered my own second question - I filed a bug report against the ubuntu-docs package. That seems to be the preferred way according to the page.
Now if only I could figure out how to specify the incoming address range. I have done so with Firestarter. Ken |
Answer 2) With it being community documentation, you can create an account, log in and make the correction yourself. The community is responsible for updating and improving the docs.
Answer 1) The docs seem to be very wrong. The "from" is the source, the "to" is the destination. It ain't a range. To be honest, the gui is rather ambiguous here. 192.168.0.100 - 192.168.0.150 isn't a very nice range, because you can't address it with one netmask. If you can change the range to 192.168.0.128 - 192.168.0.191 then you can use 255.255.255.192 (/26) to cover it. In this instance you need to set the From fields to "192.168.0.128/26" and "" And the to field wants to be "192.168.0.104" and "22". The reason for leaving the from port blank, is because a random port is used by the client. If you want to stick to the 192.168.0.100 - 150 range you will need multiple rules. The From addresses will look like this: 192.168.0.100/30 192.168.0.104/29 192.168.0.112/28 192.168.0.128/28 192.168.0.144/30 192.168.0.148/31 192.168.0.150/32 Not pretty! |
Thanks phil.d.g.
I have been playing around some - I installed Firestarter on the same (virtual) machine to see if one could read the other's rules - seems they can't. But in Firestarter I specify a range as 192.168.0.100/192.168.0.150 (not sure if that actually gives me the range I want - guess I need to verity) so I tried that in Gufw. Strange results. So I tried something I could test. From 192.168.0.120/192.168.0.150 to port 22. According to the gui this produced a rule Quote:
Quote:
Quote:
Perhaps it is interpreting the slash to mean a netmask. All of this started because I went to ubuntu.com and while poking around decided to have a look at the documentation. I focused on firewalls because I am not really happy with my grasp of setting up a personal firewall on my Ubuntu desktop. I guess this will teach me not to RTFM :banghead: Ken |
All these programs are just interfaces to iptables. Gufw is a double whammy because it wraps ufw which wraps iptables. I was interested in your problem because I use gufw on my laptop.
During my tests I looked at raw iptables rules to see how gufw changed them, that is perhaps the best place to look, afterall iptables is the thing that does the firewalling. gufw is interpreting 192.168.0.150 as the netmask, which is an invalid netmask. However, iptables accepts it, but I'm not sure how it deals with the invalid netmask. 192.168.0.16 is the base address of the network it has determined given the IP and netmask 192.168.0.100 and 192.168.0.150 |
Thanks again phil.d.g,
In looking closer at my Firestarter rules (and after looking at the Firestarter manual again) what I glanced at without really looking was an address and netmask such as Quote:
Enough of this modern computer crap. I have a 70 year old Smith & Wesson revolver which needs some gunsmithing. I think I will walk out to my shop through the cold rain and work on it for a while. Ken |
| All times are GMT -5. The time now is 03:48 PM. |