Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




208 posts

Master Geek


Topic # 91514 14-Oct-2011 16:01
Send private message

I'm using a Telecom NZ Thomson TG585 V8 ADSl2 modem.

My modem is double NAT'd onto a router running Tomato firmware.

On the Telecom NZ Thomson TG585 V8 I'd like to block subnet'd networks(10.0.0.0/24) on the ADSL2 (WAN) interface for example:

211.136.0.0/13

When I attempt to block... lets say a Vodafone network, as a test, it remains accessible via the TG585.

The following event log show a connection to a wwww server which is enabled via port forwarding, but which I was attempting to block on a given network/mask

FIREWALL rule : Protocol: TCP Src ip: 202.nnn.nnn.nnn Src port: 16110 Dst ip: 10.nnn.nnn.nnn Dst port: 80 Chain: forward_host_service Rule Id: 8 Action: accept

I'm not sure if ANY tunneling takes priority over any other rules and thus becomes null when attempting to block inbound public networks by network address/subnet.

I did have a quick look at the command line firewall config, within the modem, but not being familiar with it off hand, I thought I'd ask first.

I have enabled a custom GUI firewall security profile and add the following but it does nothing on blocking a given network:



Also, it doesn't appear to accept network masking.

Like it's not the end of the world, but I would like to say no to those 'very friendly' Chinese visitors at the front door, without them tunneling through the network to be refused on internal LAN server/routers.

I know I could buy a feature rich ADLS2 modem/firewall, but I thought if I can get the Thomson to do it, well, that'd be just peaches.

Any thoughts?


Create new topic


208 posts

Master Geek


Reply # 538194 27-Oct-2011 15:32
Send private message

Wow, aren't I the popular one, sitting in a corner talking to myself. Cry

Laughing But to answer my own question, yerp, it's doable.

The Thomson TG585v8 has an extensive firewall CLI interface able to block networks and or TCP ports and etc.

It's not for the faint-hearted and definitely not accessible via the GUI.

Insanity is only one 'rule add chain' away.... you're not in Kansas now.


8020 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 538444 28-Oct-2011 01:19
Send private message

Why do you want to block a network range?

Behind NAT one of your devices must have sent outgoing communication with an ip address in that range in order for it to be in the NAT state table and return data coming back from that address to be let in anyway.

 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software


208 posts

Master Geek


  Reply # 538700 28-Oct-2011 13:20
Send private message

Probably cause I've enabled HTTP( Port 80) Smile

I could just use another port, but I'm just to slack and after a few days I started seeing the odd port 80 connection here and there from countries I can't even spell.

It's blocked further down the path at the web server, but dude, they're inside mincing about and I don't like it, I don't like it.

Anyway, took a few hours but one can create an IP network/mask expression list of the good guys (New Zealanders) Laughing and then apply it to the http port on an if not this network then drop and log

As it's a inbound http port check it shouldn't be fired on established connections and not to much overhead.

And besides, someone went to a lot of trouble to write these firmware/OS code so it only seems polite to learn a bit about it and use it. Even if really you have no real reason to be using it.

 

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41


Exhibition to showcase digital artwork from across the globe
Posted 23-May-2018 16:44


Auckland tops list of most vulnerable cities in a zombie apocalypse
Posted 23-May-2018 12:52


ASB first bank in New Zealand to step out with Garmin Pay
Posted 23-May-2018 00:10


Umbrellar becomes Microsoft Cloud Solution Provider
Posted 22-May-2018 15:43


Three New Zealand projects shortlisted in IDC Asia Pacific Smart Cities Awards
Posted 22-May-2018 15:14


UpStarters - the New Zealand tech and innovation story
Posted 21-May-2018 09:55


Lightbox updates platform with new streaming options
Posted 17-May-2018 13:09


Norton Core router launches with high-performance, IoT security in New Zealand
Posted 16-May-2018 02:00


D-Link ANZ launches new 4G LTE Dual SIM M2M VPN Router
Posted 15-May-2018 19:30


New Panasonic LUMIX FT7 ideal for outdoor: waterproof, dustproof
Posted 15-May-2018 19:17


Ryanair Goes All-In on AWS
Posted 15-May-2018 19:14


Te Papa and EQC Minecraft Mod shakes up earthquake education
Posted 15-May-2018 19:12



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.