Firewall Changes for Those Who Can’t Get to

Couple of people have mentioned problems getting to lately. The problem is that the IP that it recently moved onto ( is still thought of as a restricted IP by your firecard or GGOS/Gateway Guardian based firewall (or maybe something else you have).

If you have a Firecard (this is for all the ex-Merilus people out there), you need to do the following (not sure if this can be done from the management console or not):

  • ssh into the device (you know how, if not ask me via email)
  • # cd /etc/fw
  • edit the file “spoof”: # vi spoof
  • a page or so down there is a comment starting

    # The rules below exist as per RFC 1466 – Reserved by IANA

    Look below that for the line with an IP starting with 69., and remove it.
  • save and exit <esc>:x
  • re-run the firewall script: # /etc/firewall

Now you should be able to access Because I’m bad and lazy and horrible I just removed all the lines below the comment I noted above, at least until an update comes down from SafetyNet.

To make sure that when you reboot the device these changes don’t get lost (which they will), you will have to do the following:

  • mount the config partition: # mnt 2
  • go into the fw directory on it: # cd /2/etc/fw
  • edit and save the file as in the steps above.

Hopefully this will keep things fixed up. Please let me know if I missed anything here guys. Muckhead mentioned that he didn’t have a spoof file in /2/etc/fw, so I’m not sure what’s up with that, maybe an older version of the software or something.

Update It is available to edit from the CSMv2 software. Go to security->setup for the device and click advanced, then remove the subnet from the list, then save and upload. If you don’t have anything in the list Muckhead says to set it to the defaults minus the 60.* entry, “and life is good.”

3 Comments on “Firewall Changes for Those Who Can’t Get to”

  1. I just manually changed this last night as per a suggestion from Silverstr. Anyway, I did some checking on my system and came to the following conclusions.
    1.) When I upgraded to CSMv2 it didn’t create the list of networks in the advanced area.
    2.) If the advanced area is not filled in, no spoof file is created and uploaded to /2/etc/fw. This is probably why Muckhead couldn’t find it.
    3.) If there is no spoof file in /2/etc/fw there must be an old version in one of the .gg packages which contains the 69.* network. I vaguely remember that we did bug and fix the removal of that network from the list at one time.
    Oh well. You can take my QA job away from me but you can’t make me stop working. 😉

  2. Ok so the short form is this.
    If you are using CSMv2 all you actually need to do is go to Security – Setup and hit the Advanced button. If the list box is not filled in Hit the Defaults button in the lower left corner. Save changes and upload to your device.
    You don’t actually have to remove the 60.* entry because it doesn’t cover the 69.* network anyway.

  3. Well I’m a barrel full of uf problems today. For some reason, I can’t send off of the uf mail server, and I can’t send OR recieve on the ufies server. I think I have something configured wrong in my settings for the ufies server (I’ll check it out when I get home (Tehanu and I are still working out our kinks) and as for uf… I sent mail off of it the other day, but something could be funk-ay on my end.
    My geek quotient has plummeted since my little backdoor problem, so anything is possible 😉