From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <moeller0@gmx.de>
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(Client CN "mout.gmx.net",
	Issuer "TeleSec ServerPass DE-1" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 3105D21F24B
	for <cerowrt-devel@lists.bufferbloat.net>;
	Fri, 21 Mar 2014 16:05:03 -0700 (PDT)
Received: from hms-beagle.home.lan ([84.172.116.169]) by mail.gmx.com
	(mrgmx101) with ESMTPSA (Nemesis) id 0LjN0F-1Wxj5Y0i7j-00dXw8;
	Sat, 22 Mar 2014 00:04:59 +0100
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Sebastian Moeller <moeller0@gmx.de>
In-Reply-To: <87mwgjtb8z.fsf@alrua-x1.karlstad.toke.dk>
Date: Sat, 22 Mar 2014 00:04:58 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <7F1EA8E6-0C2E-471D-A24F-8D08A10998FC@gmx.de>
References: <CAA93jw6Y3V29Ynk+2DE+5RrPzSe7X6WeoJK9CcPAHPTRUBsCdQ@mail.gmail.com>
	<3F98D180-3AF8-4AFA-80B4-A13E55CAA03A@gmx.de>
	<87mwgjtb8z.fsf@alrua-x1.karlstad.toke.dk>
To: =?iso-8859-1?Q?Toke_H=F8iland-J=F8rgensen?= <toke@toke.dk>
X-Mailer: Apple Mail (2.1510)
X-Provags-ID: V03:K0:QV6AQZtq04fofrDlO1U3Zr/Xn0EMVXHuCEBWh+BibGQ9D3WcZFa
	EMOIT5A8Aye7Rrxx16b4m0YK2JFfcvoxASHcWbK44K5YYFhtbFSLtnW9zRyl4T/eTZPFAOc
	+IaYMbYZ3G8Vieyac8Vhiz++0YXnimUQ5AnZa8RZ6oc1/IAghwmvhVTBNQbmgIYPhtBDV3+
	tuWIzhR22usKLvSFa1Ppg==
Cc: "cerowrt-devel@lists.bufferbloat.net" <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] cerowrt-3.10.32-12 released
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 23:05:03 -0000


On Mar 21, 2014, at 23:53 , Toke H=F8iland-J=F8rgensen <toke@toke.dk> =
wrote:

> Sebastian Moeller <moeller0@gmx.de> writes:
>=20
>>      I did not notice this even though my primary router furnishes
>> cerowrt with 192.168.2.104 (but no additional subnets in there), the
>> internet works and I can reach machines in the primary subnet just
>> fine, so nothing to see here ;) Greart work Dave and Toke.
>=20
> Yay!
>=20
> Just to confirm:
>=20
> 1. What is the output of `ipset list` on the router?

root@nacktmulle:~# ipset list
Name: bcp38-ipv4
Type: hash:net
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8856
References: 2
Members:
127.0.0.0/8
192.168.2.0/24 nomatch
172.16.0.0/12
10.0.0.0/8
192.0.2.0/24
169.254.0.0/16
240.0.0.0/4
198.51.100.0/24
203.0.113.0/24
0.0.0.0/8
192.168.0.0/16
root@nacktmulle:~#=20


>=20
> 2. What happens if you ping 192.168.1.1 (or some other address in a
> private subnet, but not configured on any of your interfaces)?

root@nacktmulle:~# ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
ping: sendto: Operation not permitted


For comparison the primary router:
root@nacktmulle:~# ping -c 1 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: seq=3D0 ttl=3D64 time=3D0.849 ms

--- 192.168.2.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max =3D 0.849/0.849/0.849 ms
root@nacktmulle:~#=20


And from my macbook on SW00:

hms-beagle:~ moeller$ ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
92 bytes from 172.30.42.65: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 d987   0 0000  3f  01 0a0a 172.30.42.80  192.168.1.1=20


--- 192.168.1.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
hms-beagle:~ moeller$ ping -c 1 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=3D0 ttl=3D63 time=3D3.993 ms

--- 192.168.2.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev =3D 3.993/3.993/3.993/0.000 ms
hms-beagle:~ moeller$=20

After white-listing 192.168.1.0/24
hms-beagle:~ moeller$ ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
hms-beagle:~ moeller$=20

After deletion of the exemption it is back again to "Destination Net =
Unreachable"


It just seems to work, and well at that.


>=20
>> 	I guess having an easy way to set exceptions is really a good
>> 	solution.
>=20
> There's a BCP38 tab in the firewall config that allows you to input
> subnet exceptions manually if needed. :)
	I guess I should have been clearer in my comment; what I wanted =
to say is that it is great that you actually offer this ;). (Tiny note: =
if there is only one member in the white-list the GUI only shows the add =
button and no delete button, just deleting the contents does work =
though)

Best Regards
	Sebastian

>=20
> -Toke