Re: [Cerowrt-devel] vpn fw question

[Dave Taht <dave.taht@gmail.com>]

If for example, you can coax openvpn to name it's tunnel device se01,
the existing firewall rules using the s+ pattern match will
automagically pick it up.

I've kind of wanted the same feature for vlans but never figured out
how to turn a
se00.2 into a gw02.

On Thu, Oct 2, 2014 at 9:12 PM, Eric S. Johansson <esj@eggo.org> wrote:
>
> On 10/2/2014 11:38 PM, Dave Taht wrote:
>>
>> Personally I find the output of
>>
>> ip route show
>>
>> to be much more readable and usable nowadays.
>
>
> you are quite right. It is. thank you for the reminder to kill off old
> habits and build a new old habit.

best way to look at ipv6, also.

>
>> Ideally you should be able to shrink that 10.43 network into a single
>> 10.43.0.0/20 route.
>
> that is my plan when I replace the firewall in the main office. There is a
> lot of Cruft in the old firewall including multiple holes for things people
> "used to do" but they don't dare close them because they might have to do
> them again. I wish IP cop was sufficiently sophisticated for this purpose
> but I think the UI gotten rather crufty since I last worked on it.
>
> You see, I work in the land of myth and magic. A little bit of Hollywood
> right here in Boston.
>
> and WTH is this?
> 172.30.42.0     0.0.0.0         255.255.255.0   !         0 0          0 *
>
>> That is what is called a "covering route". The interfaces in cerowrt are
>> all /27s out of a single /24. Just as you could just do a 10.43.0.0/20
>> route
>> instead of the 16 10.43 routes above.
>
>
> I've got to learn Lua and how to debug in this environment better. I should
> probably explain.

It is generally simplest to run a x86 vm of openwrt.

> I was one of the founding members of the IPCop firewall.

Very cool!

> We put a lot of energy into making it simple and easy to use so that it was
> harder to make mistakes. I apologize in advance if I offend anyone but the
> current UI for Cerowrt/openwrt is not shaped by workflow but by the need to
> expose everything.

Oh no. A lot of the complexity in cerowrt is just there to make sure
that complex
setups can work. I care a lot about exposing appropriate functionality, routing
in an IoT world, as one example, not one whit about the gui stuff.

The luci part of openwrt is sorely in need of more bodies.

There is an attempt to rewrite the gui in more javascript in luci2.

the openwireless.org folk are doing their own gui for cero, and realizing that
the 80/20 rule applies, but it's a different 20 for every user. See their
mailing list and codebase for details.

Every manufacturer dumbs down the gui so much these days that it's
impossible to turn nat off on current netgear, dd-link, and apple products.

I, personally, happen to really like naming interfaces after their function
given the expressiveness of the pattern matching syntax, but it is
an idea few have adopted....

> I'm hoping that I will be able to demonstrate what I mean by an error
> resistant UI sometime over the next few months. In the meantime however, I'm
> going to try and learn enough so I can be useful fixing small bugs and
> reducing chaos enhancers in tools like uci.

The successor to BB is called chaos calmer.

I suggest joining the relevant #openwrt-devel and #bufferbloat channels.

>
> And I just saw your other mail about BCP 38. What is it?

The answer to dns amplification attacks in particular.

http://tools.ietf.org/html/bcp38

https://www.youtube.com/watch?v=9-StM3Zfv6o&feature=youtu.be&list=PLSnVjSuzLJcxbiilGE421Zx7Wk3Wez8NS
>
> --- eric
>
>



-- 
Dave Täht

https://www.bufferbloat.net/projects/make-wifi-fast