From: Sebastian Moeller <moeller0@gmx.de>
To: "Toke Høiland-Jørgensen" <toke@toke.dk>
Cc: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] cerowrt-3.10.32-12 released
Date: Sat, 22 Mar 2014 00:04:58 +0100 [thread overview]
Message-ID: <7F1EA8E6-0C2E-471D-A24F-8D08A10998FC@gmx.de> (raw)
In-Reply-To: <87mwgjtb8z.fsf@alrua-x1.karlstad.toke.dk>
On Mar 21, 2014, at 23:53 , Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> Sebastian Moeller <moeller0@gmx.de> writes:
>
>> I did not notice this even though my primary router furnishes
>> cerowrt with 192.168.2.104 (but no additional subnets in there), the
>> internet works and I can reach machines in the primary subnet just
>> fine, so nothing to see here ;) Greart work Dave and Toke.
>
> Yay!
>
> Just to confirm:
>
> 1. What is the output of `ipset list` on the router?
root@nacktmulle:~# ipset list
Name: bcp38-ipv4
Type: hash:net
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8856
References: 2
Members:
127.0.0.0/8
192.168.2.0/24 nomatch
172.16.0.0/12
10.0.0.0/8
192.0.2.0/24
169.254.0.0/16
240.0.0.0/4
198.51.100.0/24
203.0.113.0/24
0.0.0.0/8
192.168.0.0/16
root@nacktmulle:~#
>
> 2. What happens if you ping 192.168.1.1 (or some other address in a
> private subnet, but not configured on any of your interfaces)?
root@nacktmulle:~# ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
ping: sendto: Operation not permitted
For comparison the primary router:
root@nacktmulle:~# ping -c 1 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: seq=0 ttl=64 time=0.849 ms
--- 192.168.2.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.849/0.849/0.849 ms
root@nacktmulle:~#
And from my macbook on SW00:
hms-beagle:~ moeller$ ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
92 bytes from 172.30.42.65: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 d987 0 0000 3f 01 0a0a 172.30.42.80 192.168.1.1
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
hms-beagle:~ moeller$ ping -c 1 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=63 time=3.993 ms
--- 192.168.2.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 3.993/3.993/3.993/0.000 ms
hms-beagle:~ moeller$
After white-listing 192.168.1.0/24
hms-beagle:~ moeller$ ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
hms-beagle:~ moeller$
After deletion of the exemption it is back again to "Destination Net Unreachable"
It just seems to work, and well at that.
>
>> I guess having an easy way to set exceptions is really a good
>> solution.
>
> There's a BCP38 tab in the firewall config that allows you to input
> subnet exceptions manually if needed. :)
I guess I should have been clearer in my comment; what I wanted to say is that it is great that you actually offer this ;). (Tiny note: if there is only one member in the white-list the GUI only shows the add button and no delete button, just deleting the contents does work though)
Best Regards
Sebastian
>
> -Toke
next prev parent reply other threads:[~2014-03-21 23:05 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-21 17:47 Dave Taht
2014-03-21 18:51 ` Toke Høiland-Jørgensen
2014-03-21 22:00 ` Sebastian Moeller
2014-03-21 22:53 ` Toke Høiland-Jørgensen
2014-03-21 23:04 ` Sebastian Moeller [this message]
2014-03-21 23:26 ` Toke Høiland-Jørgensen
[not found] ` <608F3E46-3D81-48A3-B60C-E90661DD3AB2@gmx.de>
2014-03-22 11:08 ` Toke Høiland-Jørgensen
2014-03-22 17:09 ` Dave Taht
2014-03-22 18:18 ` Toke Høiland-Jørgensen
2014-03-22 20:20 ` Sebastian Moeller
2014-03-22 19:23 ` Sebastian Moeller
2014-03-22 19:36 ` Toke Høiland-Jørgensen
2014-03-22 20:24 ` Sebastian Moeller
2014-03-24 0:56 ` Valdis.Kletnieks
2014-03-24 14:35 ` Jim Reisert AD1C
2014-03-26 4:37 ` Kai Yang
2014-03-24 16:32 ` [Cerowrt-devel] upnp oddness (was " Valdis.Kletnieks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7F1EA8E6-0C2E-471D-A24F-8D08A10998FC@gmx.de \
--to=moeller0@gmx.de \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=toke@toke.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox