From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from z.eggo.org (z.eggo.org [80.235.105.138]) by huchra.bufferbloat.net (Postfix) with ESMTP id 3642821F419 for ; Thu, 2 Oct 2014 21:12:18 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by z.eggo.org (Postfix) with ESMTP id 435423C3338; Fri, 3 Oct 2014 07:12:17 +0300 (EEST) Received: from z.eggo.org ([127.0.0.1]) by localhost (z.eggo.org [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id RQ8xPKibyYY2; Fri, 3 Oct 2014 07:12:16 +0300 (EEST) Received: from localhost (localhost [127.0.0.1]) by z.eggo.org (Postfix) with ESMTP id 628A73C36E5; Fri, 3 Oct 2014 07:12:16 +0300 (EEST) X-Virus-Scanned: amavisd-new at harvee.org Received: from z.eggo.org ([127.0.0.1]) by localhost (z.eggo.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id c4yoOqHFoXlE; Fri, 3 Oct 2014 07:12:16 +0300 (EEST) Received: from [172.30.42.25] (unknown [73.38.247.110]) by z.eggo.org (Postfix) with ESMTPSA id 6C1683C36B9; Fri, 3 Oct 2014 07:12:15 +0300 (EEST) Message-ID: <542E221F.1010303@eggo.org> Date: Fri, 03 Oct 2014 00:12:15 -0400 From: "Eric S. Johansson" User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Dave Taht References: <542DFCCA.7080708@eggo.org> <542E1267.1000208@eggo.org> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: =?UTF-8?B?Sm9lbCBXaXLEgW11IFBhdWxpbmc=?= , cerowrt-devel Subject: Re: [Cerowrt-devel] vpn fw question X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2014 04:12:48 -0000 On 10/2/2014 11:38 PM, Dave Taht wrote: > Personally I find the output of > > ip route show > > to be much more readable and usable nowadays. you are quite right. It is. thank you for the reminder to kill off old habits and build a new old habit. > Ideally you should be able to shrink that 10.43 network into a single 10.43.0.0/20 route. that is my plan when I replace the firewall in the main office. There is a lot of Cruft in the old firewall including multiple holes for things people "used to do" but they don't dare close them because they might have to do them again. I wish IP cop was sufficiently sophisticated for this purpose but I think the UI gotten rather crufty since I last worked on it. You see, I work in the land of myth and magic. A little bit of Hollywood right here in Boston. and WTH is this? 172.30.42.0 0.0.0.0 255.255.255.0 ! 0 0 0 * > That is what is called a "covering route". The interfaces in cerowrt are > all /27s out of a single /24. Just as you could just do a 10.43.0.0/20 route > instead of the 16 10.43 routes above. I've got to learn Lua and how to debug in this environment better. I should probably explain. I was one of the founding members of the IPCop firewall. We put a lot of energy into making it simple and easy to use so that it was harder to make mistakes. I apologize in advance if I offend anyone but the current UI for Cerowrt/openwrt is not shaped by workflow but by the need to expose everything. I'm hoping that I will be able to demonstrate what I mean by an error resistant UI sometime over the next few months. In the meantime however, I'm going to try and learn enough so I can be useful fixing small bugs and reducing chaos enhancers in tools like uci. And I just saw your other mail about BCP 38. What is it? --- eric