[nos-bbs] "ip access" cmd primer ?

N8OUZ joe at n8ouz.org
Mon Feb 6 12:47:44 EST 2012


Hello all, I tried an experiment yesterday and compiled jnos with #define IPACCESS


I discovered  I was no longer able to telnet to jnos, even after explicitly allowing tcp/23:
ip access permit tcp all all tun0 23
ip access permit icmp all all tun0
ip access deny any all all tun0
(with the above, i could ping, but telnet didn't work.)
(I verified that ping stopped working if i removed /ip access permit icmp../ so the file WAS being read..)


then again after a final attempt specifying ONLY:
ip access permit any all all tun0
.. in hopes to at least get it working again without reverting to my saved binary. 
(telnet still didn't work, but ping still did.)


switching binaries back, things worked just fine, so I'm pretty sure other system issues can safely be ignored.


At this point I still suspect that I'm not doing something right -- not USING the commandset correctly - , but reading what's in the docs, I can't find what I'm doing wrong.

Does anyone have a link or place to look for more detail on the ip access options available? 


Thanks-
-jre





Here's the snippet from the current documentation:
ip access <permit|deny|delete> <proto> <sourceaddr[/bits]|all>

 

          <destaddr[/bits]|all> <iface>  [loport | all [hiport]]

 

Display or set ip access controls. The ip access command controls packet routing via the specified <iface> by determining which source ip addresses <sourceaddr> are routed to which destination ip addresses <destaddr>. If no ip access commands are issued for <iface>, the default behavior is to permit all sources to access all destinations. But once an IP access command is entered for <iface>, all routes via <iface> that are not specifically permitted by an ip access command, will be denied.

 

Execution of this subcommand will add or delete an access control entry in an internal table.  Incoming packets that would be routed via <iface> are compared with the table entries for <iface>, in the order that they were added, to determine if access will be granted (and routing take place).  Access will be granted only if an entry matching <destaddr> and <sourceaddr> is found with "permit" set before either a match with "deny" set is found, or the end of the table is reached.  The optional /bits suffix to the ipaddr specifies how many leading bits in the ipaddr are to be considered significant in the routing comparisons.  If not specified, 32 bits (i.e., full significance) is assumed.


All addresses can be specified by "all". Access can be made protocol dependent via the  <proto> parameter. <proto> may be 'a' for any, 't' for TCP, 'u' for UDP, 'i' for ICMP, or the IP protocol number. For UDP and TCP protocols, loport and hiport specify the port or range of TCP or UDP ports for which the access control command applies.  If none or all is specified, all ports are assumed.

 

Enter "ip access" to display the table of current access control entries.

 

Access commands should be entered from the most specific to the least specific, since the first match (permit or deny) encountered for a given interface in the internal table is definitive. For example:

 

    # allow a specific AMPRnet host access to the internet

    ip access permit any 44.76.1.199 all eth0

    # but deny all others except UDP (eg, DNS) access

    ip access permit udp 44/8 all eth0 all

    # permit only AMPRnet hosts access to RF port

    ip access permit any 44/8 44/8 2m

 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20120206/009cb775/attachment.html>


More information about the nos-bbs mailing list