I am trying to follow the example in the "Ubuntu Community Documentation" https://help.ubuntu.com/community/Gu...er%20Resources to setup a rule to allow ssh access to a Ubuntu 10.04 machine for any address between 192.168.0.100 and 192.168.0.150. According to the documentation I would enter This does not work. It creates a rule which (as best I can understand it) allows the machine at 192.168.0.100 to connect to the machine at 192.168.0.150 using port 22. This is of no value as the machine running gufw is at 192.168.0.104.

If I enter the address of my source machine 192.168.0.112 into From with no port number and enter the target machine in To and 22 as the port I can connect. I can also leave off the To address and it also works - I guess it defaults to the machine running gufw. So my first question is: How can I specify a range of allowed incoming IP addresses for port 22?

And my second question - Who does one contact to point out errors in "Ubuntu Community Documentation"?

TIA,

Ken

Well I answered my own second question - I filed a bug report against the ubuntu-docs package. That seems to be the preferred way according to the page.

Now if only I could figure out how to specify the incoming address range. I have done so with Firestarter.

Ken

Answer 2) With it being community documentation, you can create an account, log in and make the correction yourself. The community is responsible for updating and improving the docs.

Answer 1) The docs seem to be very wrong. The "from" is the source, the "to" is the destination. It ain't a range. To be honest, the gui is rather ambiguous here.

192.168.0.100 - 192.168.0.150 isn't a very nice range, because you can't address it with one netmask. If you can change the range to 192.168.0.128 - 192.168.0.191 then you can use 255.255.255.192 (/26) to cover it.

In this instance you need to set the From fields to "192.168.0.128/26" and ""
And the to field wants to be "192.168.0.104" and "22".

The reason for leaving the from port blank, is because a random port is used by the client.

If you want to stick to the 192.168.0.100 - 150 range you will need multiple rules. The From addresses will look like this:


192.168.0.100/30
192.168.0.104/29
192.168.0.112/28
192.168.0.128/28
192.168.0.144/30
192.168.0.148/31
192.168.0.150/32

Not pretty!

1 members found this post helpful.

Thanks phil.d.g.

I have been playing around some - I installed Firestarter on the same (virtual) machine to see if one could read the other's rules - seems they can't. But in Firestarter I specify a range as 192.168.0.100/192.168.0.150 (not sure if that actually gives me the range I want - guess I need to verity) so I tried that in Gufw. Strange results. So I tried something I could test.

From 192.168.0.120/192.168.0.150 to port 22. According to the gui this produced a rule but according to the log sudo ufw status shows And to test it I attempted to connect from by desktop at 192.168.0.112 (worked but should NOT have) and from my netbook at 192.168.0.123 (did NOT work but SHOULD have).

Perhaps it is interpreting the slash to mean a netmask.

All of this started because I went to ubuntu.com and while poking around decided to have a look at the documentation. I focused on firewalls because I am not really happy with my grasp of setting up a personal firewall on my Ubuntu desktop. I guess this will teach me not to RTFM

Ken

All these programs are just interfaces to iptables. Gufw is a double whammy because it wraps ufw which wraps iptables. I was interested in your problem because I use gufw on my laptop.

During my tests I looked at raw iptables rules to see how gufw changed them, that is perhaps the best place to look, afterall iptables is the thing that does the firewalling.

gufw is interpreting 192.168.0.150 as the netmask, which is an invalid netmask. However, iptables accepts it, but I'm not sure how it deals with the invalid netmask. 192.168.0.16 is the base address of the network it has determined given the IP and netmask 192.168.0.100 and 192.168.0.150

1 members found this post helpful.

Thanks again phil.d.g,

In looking closer at my Firestarter rules (and after looking at the Firestarter manual again) what I glanced at without really looking was an address and netmask such as . Firestarter creates the same behavior as Gufw when I input a bad netmask. When I configured Firestarter many months ago I did not get overly anal about which machines on my network could connect to which others so I allowed anything on 192.168.0. to talk to anything else. When the Gufw documentation described a RANGE of addresses of course I had to try it

Enough of this modern computer crap. I have a 70 year old Smith & Wesson revolver which needs some gunsmithing. I think I will walk out to my shop through the cold rain and work on it for a while.

Ken