[nos-bbs] "ip access" cmd primer ?

Bob Tenty bobtenty at gmail.com
Mon Feb 6 17:49:34 EST 2012


Joe,

ip access is to prevent routing, you need the "tcp access" command

for instance:

# Permit all to ports 1 - 3599
   #
   tcp access permit     all                                     1    24
   tcp access permit     all                                    27    3599
   #
   # Permit all access to ports 3602 - 32768
   #
   tcp access permit     all                                    3602  46000
   #
   #
   # Deny all access to CONVERS ports 3600 and 3601
   #
   tcp access deny       44.135.84.249                            25  26
   tcp access permit     44/8                                     25  26
   tcp access permit     44/8                                   3600  3601

#  NOTES:  The preceding TCP ACCESS code is read in order.  TOP down!
#  Order is important.  In reading from top down the first rule that
#  satisfies the origination adress and port requirments is the one
#  used.  So you should place excludes before includes for specific
#  originating addresses then followed by global [all] includes or
#  excludes.



73,

Bob VE3TOK


On 12-02-06 12:47 PM, N8OUZ wrote:
>
> Hello all, I tried an experiment yesterday and compiled jnos with 
> #define IPACCESS
>
>
> I discovered  I was no longer able to telnet to jnos, even after 
> explicitly allowing tcp/23:
> ip access permit tcp all all tun0 23
> ip access permit icmp all all tun0
> ip access deny any all all tun0
> (with the above, i could ping, but telnet didn't work.)
> (I verified that ping stopped working if i removed /ip access permit 
> icmp../ so the file WAS being read..)
>
>
> then again after a final attempt specifying ONLY:
> ip access permit any all all tun0
> .. in hopes to at least get it working again without reverting to my 
> saved binary.
> (telnet still didn't work, but ping still did.)
>
>
> switching binaries back, things worked just fine, so I'm pretty sure 
> other system issues can safely be ignored.
>
>
> At this point I still suspect that I'm not doing something right -- 
> not USING the commandset correctly - , but reading what's in the docs, 
> I can't find what I'm doing wrong.
>
> Does anyone have a link or place to look for more detail on the ip 
> access options available?
>
>
> Thanks-
> -jre
>
>
>
>
>
> Here's the snippet from the current documentation:
>
> *ip access <permit|deny|delete> <proto> <sourceaddr[/bits]|all>*
>
> **
>
> *<destaddr[/bits]|all> <iface>[loport | all [hiport]]*
>
> Display or set ip access controls. The ip access command controls 
> packet routing via the specified <iface> by determining which source 
> ip addresses <sourceaddr> are routed to which destination ip addresses 
> <destaddr>. If no ip access commands are issued for <iface>, the 
> default behavior is to permit all sources to access all destinations. 
> But once an IP access command is entered for <iface>, all routes via 
> <iface> that are not specifically permitted by an ip access command, 
> will be denied.
>
> Execution of this subcommand will add or delete an access control 
> entry in an internal table.Incoming packets that would be routed via 
> <iface> are compared with the table entries for <iface>, in the order 
> that they were added, to determine if access will be granted (and 
> routing take place).Access will be granted only if an entry matching 
> <destaddr> and <sourceaddr> is found with "permit" set before either a 
> match with "deny" set is found, or the end of the table is reached.The 
> optional /bits suffix to the ipaddr specifies how many leading bits in 
> the ipaddr are to be considered significant in the routing 
> comparisons.If not specified, 32 bits (i.e., full significance) is 
> assumed.
>
>
> All addresses can be specified by "all". Access can be made protocol 
> dependent via the<proto> parameter. <proto> may be 'a' for any, 't' 
> for TCP, 'u' for UDP, 'i' for ICMP, or the IP protocol number. For UDP 
> and TCP protocols, loport and hiport specify the port or range of TCP 
> or UDP ports for which the access control command applies.If none or 
> all is specified, all ports are assumed.
>
> Enter "ip access" to display the table of current access control entries.
>
> Access commands should be entered from the most specific to the least 
> specific, since the first match (permit or deny) encountered for a 
> given interface in the internal table is definitive. For example:
>
> # allow a specific AMPRnet host access to the internet
>
> ip access permit any 44.76.1.199 all eth0
>
> # but deny all others except UDP (eg, DNS) access
>
> ip access permit udp 44/8 all eth0 all
>
> # permit only AMPRnet hosts access to RF port
>
> ip access permit any 44/8 44/8 2m
>
>
>
>
>
>
>
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at tapr.org
> https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20120206/7261300c/attachment.html>


More information about the nos-bbs mailing list