Re: Phenoelit Advisory 0815 ++ // Xedia

[Tom Clancy <tom () keysoftware com>]

In-Reply-To: <3D4271A3.3050003 () phenoelit de>

> [ Overview ]
>       The Lucent Access Point Router is a mid-range Access Level Router
>       that supports a wide range of cool features such as CBQ (QoS 
stuff).
>       
> [ Description ]
>       The Lucent Access Point has a web server providing a colorful
>       interface to use for configuration.  This interface is apparently 
>       for those people who don't like the extremley powerful 
>       command-line. When sending an HTTP GET request with approximately
>       4000 characters in the URI to the server, the Access Point reboots.
>
> [ Solution ]

Use the CBQ functionality!
   Setup CBQ:
To allow web access to the specified router interface(s) from a specific IP
(s)  

To drop packets to all router interfaces 
Ex CBQ 1 = WAN in
-Block ALL traffic 
add cbq.1 traffic-class.Deny-default parent root-input-tree bandwidth-
allocation 0 bounded true

-allow HTTP traffic from WAN in
add cbq.1 traffic-class.httpWANin parent root-input-tree bandwidth-
allocation 1000000 bounded true dest-ip-addresses (IP's here) application 
http row-status active

-allow Return Flow out - established TRAFFIC
add cbq.1 traffic-class.httpWANreturn parent root-output-tree bandwidth-
allocation 1000000 bounded true dest-ip-addresses (IP's here) application 
httpEstablished row-status active

-Block ALL traffic to router interface
add cbq.1 traffic-class.BlockRouterIPAccess parent root-input-tree 
bandwidth-allocation 0 bounded true peer-classification-order 90 dest-ip-
Addresses xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxxx row-status active

add cbq.1 traffic-class.AllowWebMange parent root-input-tree bandwidth-
allocation 64000 bounded true peer-classification-order 40 src-ip-
Addresses xxx.xxx.xxx.xxx dest-ip-addresses xxx.xxx.xxxx application http 
row-status active