Hi Folks,
I've got a Cisco 675 DSL modem/router behind which all my gear hooks up to each other and the 675 via non-routable 10.0.0.0-type addresses. The 675 itself is 10.0.0.1 and serves as a DHCP server for my LAN machines--simple enough; it works great. But, what I want to do is set the 675 up so that the applications (telnet, tftp, and the web configuration tool) are only accessible from the LAN side. Now, you can set them so they're only accessible from a single IP address, but I was hoping for a more general approach.
It seemed like IP filtering was the way to go, but I've tried all kinds of combinations and I must surely be missing something fundamental, because ANY filter I create disables all the applications from anywhere. The manual and the on-line help have allowed me to enter the SET FILTER commands, but I'm a little hazy on some of the details. (Part of the problem may be that the manual is for an older version of the CBOS code--but I'm afraid that the main problem is I don't quite get exactly what the parameters of the command mean (never mind whether I'm entering them correctly).
I'm guessing that you'd sometimes need paired filters for incoming and outgoing, but I thought if I just stopped the incoming traffic to the ports in question, I'd be in business. But, that seems to stop all traffic regardless of the settings.
As a concrete example: suppose I want to filter out WAN-side traffic to port 23 on the 675 so that I can telnet to the 675 from any system on my LAN, but you can't from the WAN side at all. It seems to me that I'd do something like this:
set filter 0 on deny incoming wan0-0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 protocol UDP destport 23-23
Using the 0's in IP and port to include traffic from any address/port--is that right? However, this seems to prevent me doing a telnet to 10.0.0.1 from any of my LAN boxes as well--which I hadn't expected that since that traffic would be going through the eth0 port, not the wan0-0 port. Did I need to also say that the eth0 traffic was allowed?
I tried switching the above specs to a higher number (so it'd operate later, right?) and put in a filter 0 something like this:
set filter 0 on allow incoming eth0 10.0.0.0 255.255.255.0 10.0.0.1 255.255.255.255 protocol UDP destport 23-23
That didn't help. I added a filter 1 with the outgoing spec's matching those above--no help.
I'd be just delighted with a reference to a site or document that would help me out with the fundamental issues I'm obviously not grasping. (Just BTW, I tried every possible set up I could think of for the IP/port--I never got anything that would let me communicate with the 675.)
Thanks for anything you can tell me!
John
I've got a Cisco 675 DSL modem/router behind which all my gear hooks up to each other and the 675 via non-routable 10.0.0.0-type addresses. The 675 itself is 10.0.0.1 and serves as a DHCP server for my LAN machines--simple enough; it works great. But, what I want to do is set the 675 up so that the applications (telnet, tftp, and the web configuration tool) are only accessible from the LAN side. Now, you can set them so they're only accessible from a single IP address, but I was hoping for a more general approach.
It seemed like IP filtering was the way to go, but I've tried all kinds of combinations and I must surely be missing something fundamental, because ANY filter I create disables all the applications from anywhere. The manual and the on-line help have allowed me to enter the SET FILTER commands, but I'm a little hazy on some of the details. (Part of the problem may be that the manual is for an older version of the CBOS code--but I'm afraid that the main problem is I don't quite get exactly what the parameters of the command mean (never mind whether I'm entering them correctly).
I'm guessing that you'd sometimes need paired filters for incoming and outgoing, but I thought if I just stopped the incoming traffic to the ports in question, I'd be in business. But, that seems to stop all traffic regardless of the settings.
As a concrete example: suppose I want to filter out WAN-side traffic to port 23 on the 675 so that I can telnet to the 675 from any system on my LAN, but you can't from the WAN side at all. It seems to me that I'd do something like this:
set filter 0 on deny incoming wan0-0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 protocol UDP destport 23-23
Using the 0's in IP and port to include traffic from any address/port--is that right? However, this seems to prevent me doing a telnet to 10.0.0.1 from any of my LAN boxes as well--which I hadn't expected that since that traffic would be going through the eth0 port, not the wan0-0 port. Did I need to also say that the eth0 traffic was allowed?
I tried switching the above specs to a higher number (so it'd operate later, right?) and put in a filter 0 something like this:
set filter 0 on allow incoming eth0 10.0.0.0 255.255.255.0 10.0.0.1 255.255.255.255 protocol UDP destport 23-23
That didn't help. I added a filter 1 with the outgoing spec's matching those above--no help.
I'd be just delighted with a reference to a site or document that would help me out with the fundamental issues I'm obviously not grasping. (Just BTW, I tried every possible set up I could think of for the IP/port--I never got anything that would let me communicate with the 675.)
Thanks for anything you can tell me!
John