[KLUG Members] IPCop Blue/Green HP LaserJet
Greg Mason
gmason at fast-mail.org
Tue Jan 17 08:17:01 EST 2006
On Jan 10, 2006, at 9:20 AM, Adam Tauno Williams wrote:
>>> I'm running IPCop 1.4.10 with a "RED/GREEN/BLUE" Ethernet setup.
>>> Can someone point me in the right direction to allow "Blue"
>>> (192.168.2.x) PCs (XP/SP2) running "HP Install Network Printer
>>> Wizard" to connect to a "Green" (192.168.1.31:9100)
>>> HP4MV/LaserJet printer?
>>>
IPCop has a "feature" that blue cannot make outgoing connections to
green. i.e. blue cannot initiate a connection to anything on green.
this makes sense because Blue is a partially untrusted network,
therefore you don't want to give them free reign. To get around this,
you either have to explicitly allow each device on blue to connect
the specific IPaddress/port on green, or look at maybe setting up a
print server on Orange (the DMZ subnet for IPCop). Orange can't
initiate connections to any subnet other than Red, but blue and green
can connect to it.
I banged my head against the wall on this issue, and I finally gave
up and added the 4th subnet on my IPCop box, because this behavior in
IPCop is by design, and isn't going to be changed any time soon by
the developers (bunch of paranoid freaks, which are the perfect
people to be making a firewall distro, IMO)
>>> What I'm looking for is the appropriate iptables rules and/or
>>> IPCop DMZ pinholes.
>
> Just accept TCP/9100 on the "blue" interface. Does IPCop provide a
> web
> interface for this? I haven't seen an IPCop box in years.
>
>>> Or maybe, how do I enable iptables/kernel logging for any access
>>> to 192.168.1.31 so I can see what ports/protocols are used?
There are many addons for IPCop that allow you to do all kinds of
logging things. firewalladdons.sourceforge.net is the place to go.
-Greg
More information about the Members
mailing list