2006-02-14 (火) の 22:23 +1030 に Tim さんは書きました: > On Tue, 2006-02-14 at 11:28 +0900, Joel Rees wrote: > > Reason I ask is that, as I understand it, you can't open a port to the > > LAN while keeping it closed to the world unless you know what ranges > > of addresses are used on the LAN. Not everyone chooses to use > > 192.168.0.nnn for their LANs, you know. > > It's doable, in a few ways. Here's two that I can think of off the top > of my head: > > Ask the user which interfaces are LAN and WAN, then apply the rules to > the interface, regardless of what address is used by them. Since most machines used as workstations only have one interface, would it be more appropriate to think about the router? Maybe have a short script that queries the person doing the install as to whether to open the printer port to the local network and whether to open it beyond the local network, then set the firewall ... ... of course, you'd want to put a warning in about any zombies present on the LAN more or less undoing the effect, but that's basically the risk you always have to take with sharing ... Uhm, what was the question again? Since the firewall on the router is usually the one responsible for keeping shared LAN-side resources off the WAN, am I talking about something you are not, perchance? If so, I beg your pardon. > Automatically examine the machine's own IP and netmask, define a rule > based on them. > > Apply broad rules for the main LAN IP ranges, hoping they apply. It's a > fair bet that the common private IP ranges won't be used over the > internet, though some ISPs do that. > > -- > Don't send private replies to my address, the mailbox is ignored. > I read messages from the public lists. >
