From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id E84B221F182 for ; Mon, 17 Mar 2014 07:39:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at example.com Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id E1ECE1B407; Mon, 17 Mar 2014 15:39:36 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310; t=1395067178; bh=kQbEno5bEuSx+KJAxKPR3S181t8Ne+ROLTym+7VpKAM=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=W+vszu1vU57NBMpSu4PSYl0gTpI48WUGgv5ZJg/5F25eJH3o2iXqflcQ33lKuYvcG EQpxZEqFVQRt9u50z8vMY0qrp+k3iQXUYpqJddNu8bmYm5WB+sbVL4Wf8mSKM2zsz0 kcZXZ8V6eBH6A3z8hBbD5Ic4mKEO6nNyAuC4fVRQ= From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: Dave Taht References: <5162.1395058842@sandelman.ca> <87eh20lwx5.fsf@toke.dk> Date: Mon, 17 Mar 2014 15:39:35 +0100 In-Reply-To: <87eh20lwx5.fsf@toke.dk> ("Toke =?utf-8?Q?H=C3=B8iland-J?= =?utf-8?Q?=C3=B8rgensen=22's?= message of "Mon, 17 Mar 2014 15:30:46 +0100") Message-ID: <87a9colwig.fsf@toke.dk> Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] cerowrt-3.10.32-9 released X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2014 14:39:47 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Toke H=C3=B8iland-J=C3=B8rgensen writes: > So, not sure exactly how it's supposed to work; does this hook into the > firewall after NAT'ing has been applied? Otherwise you'd presumably need > to add exceptions for the configured internal network(s)? (I think that > may be what is going on in the bcp script at ln 38, but some sort of > auto-detection of the relevant network(s) would be needed? Or as a > minimum a whitelist configuration option?) Also, is there a reason you're not putting the contents of the ipset into the firewall configuration file? Then you'd have the GUI sorted (assuming there's LUCI support for ipset)... =2DToke --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJTJwknAAoJEENeEGz1+utPdH0H/iDm2KX4XguryOcsj+rQcWmc bqOjof5eERz4iz/ibmUXE9rtHUVz13CdZ2Ll98Mg6+o9LuWt2/S3I1D5iYs2qXc7 HUCURGu31kmvPXZt8R7QTwcEvaNOrGewKF4fonIjqmHEekhAPINihubkWyLdI1PJ 10XyOwiY4nCyVBRdeDbwwy75+8XKD4KQG+cE46DWf2b4hMHth0ncoSED3FtE884r WL7CruRUIVwQw6uG1IR2GITHla8UKcAsVTRhAel50B/uTkhOUWd7KM6A9WjzwRpi Kzt4Rz765754W2cznktEu0xPMECcVhLmD9jY68bskTWvFymfFqZPVFmh4mwlcJg= =ivIV -----END PGP SIGNATURE----- --=-=-=--