Originally Posted by
noblem
The allow.p2p file may not have the desired effect as it creates iptables rules to allow traffic out to the allowed range, in from the allowed range and forwarded traffic from either a source or destination of the allowed range.
This is fine if you want to allow an host/range that's external to the local lan (which I'm guessing was the idea). If your trying to use it to allow traffic from your local lan the in and out will be backwards and all forwarded traffic will bypass moblock totally which probably isn't what you want, especially if the moblock host is doing nat for your internal network.
The WHITE_LOCAL option may work, but forwarding is still going to be a problem so removing the lan range from the blocklist is probably the safest option
That's why you can configure /etc/default/moblock with the following rules:
Code:
ALLOW_IN="$CONF_DIR/allow-in.p2p"
ALLOW_OUT="$CONF_DIR/allow-out.p2p"
ALLOW_FW="$CONF_DIR/allow-fw.p2p"
This way you can create different allow lists for INBOUND, OUTBOUND and FORWARD traffic.
BTW, the local network whitelisting feature is still experimental, so again, using the alow lists is the best way.
EDIT: I forgot to mention that the iptables rules created by the allow lists are related only to traffic marked by moblock, which means that if you want to confine traffic on local ranges to the local network, all you have to do is create iptables that allow local traffic but block external access to those ranges. This can be done manually inserting iptables rules, using a firewall manager like Firestarter or using moblock's custom scripts. This gives a lot of flexibility to control your traffic, as along as you understand how iptables works.
Bookmarks