Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


208 posts

Master Geek


Topic # 91514 14-Oct-2011 16:01
Send private message

I'm using a Telecom NZ Thomson TG585 V8 ADSl2 modem.

My modem is double NAT'd onto a router running Tomato firmware.

On the Telecom NZ Thomson TG585 V8 I'd like to block subnet'd networks(10.0.0.0/24) on the ADSL2 (WAN) interface for example:

211.136.0.0/13

When I attempt to block... lets say a Vodafone network, as a test, it remains accessible via the TG585.

The following event log show a connection to a wwww server which is enabled via port forwarding, but which I was attempting to block on a given network/mask

FIREWALL rule : Protocol: TCP Src ip: 202.nnn.nnn.nnn Src port: 16110 Dst ip: 10.nnn.nnn.nnn Dst port: 80 Chain: forward_host_service Rule Id: 8 Action: accept

I'm not sure if ANY tunneling takes priority over any other rules and thus becomes null when attempting to block inbound public networks by network address/subnet.

I did have a quick look at the command line firewall config, within the modem, but not being familiar with it off hand, I thought I'd ask first.

I have enabled a custom GUI firewall security profile and add the following but it does nothing on blocking a given network:



Also, it doesn't appear to accept network masking.

Like it's not the end of the world, but I would like to say no to those 'very friendly' Chinese visitors at the front door, without them tunneling through the network to be refused on internal LAN server/routers.

I know I could buy a feature rich ADLS2 modem/firewall, but I thought if I can get the Thomson to do it, well, that'd be just peaches.

Any thoughts?


Create new topic


208 posts

Master Geek


Reply # 538194 27-Oct-2011 15:32
Send private message

Wow, aren't I the popular one, sitting in a corner talking to myself. Cry

Laughing But to answer my own question, yerp, it's doable.

The Thomson TG585v8 has an extensive firewall CLI interface able to block networks and or TCP ports and etc.

It's not for the faint-hearted and definitely not accessible via the GUI.

Insanity is only one 'rule add chain' away.... you're not in Kansas now.


8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 538444 28-Oct-2011 01:19
Send private message

Why do you want to block a network range?

Behind NAT one of your devices must have sent outgoing communication with an ip address in that range in order for it to be in the NAT state table and return data coming back from that address to be let in anyway.



208 posts

Master Geek


  Reply # 538700 28-Oct-2011 13:20
Send private message

Probably cause I've enabled HTTP( Port 80) Smile

I could just use another port, but I'm just to slack and after a few days I started seeing the odd port 80 connection here and there from countries I can't even spell.

It's blocked further down the path at the web server, but dude, they're inside mincing about and I don't like it, I don't like it.

Anyway, took a few hours but one can create an IP network/mask expression list of the good guys (New Zealanders) Laughing and then apply it to the http port on an if not this network then drop and log

As it's a inbound http port check it shouldn't be fired on established connections and not to much overhead.

And besides, someone went to a lot of trouble to write these firmware/OS code so it only seems polite to learn a bit about it and use it. Even if really you have no real reason to be using it.

 

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.