[KLUG Members] IPCop Blue/Green HP LaserJet

[Greg Mason]

On Jan 10, 2006, at 9:20 AM, Adam Tauno Williams wrote:

>>> I'm running IPCop 1.4.10 with a "RED/GREEN/BLUE" Ethernet setup.
>>> Can someone point me in the right direction to allow "Blue"
>>> (192.168.2.x) PCs (XP/SP2) running "HP Install Network Printer
>>> Wizard" to connect to a "Green" (192.168.1.31:9100)
>>> HP4MV/LaserJet printer?
>>>

IPCop has a "feature" that blue cannot make outgoing connections to  
green. i.e. blue cannot initiate a connection to anything on green.  
this makes sense because Blue is a partially untrusted network,  
therefore you don't want to give them free reign. To get around this,  
you either have to explicitly allow each device on blue to connect  
the specific IPaddress/port on green, or look at maybe setting up a  
print server on Orange (the DMZ subnet for IPCop). Orange can't  
initiate connections to any subnet other than Red, but blue and green  
can connect to it.

I banged my head against the wall on this issue, and I finally gave  
up and added the 4th subnet on my IPCop box, because this behavior in  
IPCop is by design, and isn't going to be changed any time soon by  
the developers (bunch of paranoid freaks, which are the perfect  
people to be making a firewall distro, IMO)

>>> What I'm looking for is the appropriate iptables rules and/or
>>> IPCop DMZ pinholes.
>
> Just accept TCP/9100 on the "blue" interface.  Does IPCop provide a  
> web
> interface for this?  I haven't seen an IPCop box in years.
>
>>> Or maybe, how do I enable iptables/kernel logging for any access
>>> to 192.168.1.31 so I can see what ports/protocols are used?

There are many addons for IPCop that allow you to do all kinds of  
logging things. firewalladdons.sourceforge.net is the place to go.

-Greg