From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [IPv6:2607:f8b0:4003:c01::234]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 904B621F419 for ; Thu, 2 Oct 2014 21:32:57 -0700 (PDT) Received: by mail-ob0-f180.google.com with SMTP id va2so306681obc.11 for ; Thu, 02 Oct 2014 21:32:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=08T5pGHASBj5hm4zw7ivKl8q2fw9USp7RF0fyE68AbY=; b=xHy3eue5Ep5PAkjAOV4brAygtHQ3ftGuZtRFu5AQVqn6VxXrx4t0RxczNPp5zPKCHy hTJ4AkRcBQmj9eAgAmUOByeEurH8DoCvgabZ/9xOGpL0P0nLVamXBYmGQmmLpVOTZX3/ qgmkM5ulA/ZdZdPk//76+ScMMs7pTU9aQOXrqqmcVdO++Lm0kSgMT4vZnN7mfek1ym4Q iCNT8d/q6td76m9IbXseiGYJzgAMEpAQ4MUZ+k25CEdsjghwcAMQZJytSLyEih0C5XAz mSD2J3Xd1hs+hXAK0vQGQqLufpU8as7M4eMZWGuKqQVL2krjVWjXo1c23vrUlxaUtPL2 ITJg== MIME-Version: 1.0 X-Received: by 10.182.232.229 with SMTP id tr5mr87903obc.83.1412310776401; Thu, 02 Oct 2014 21:32:56 -0700 (PDT) Received: by 10.202.227.76 with HTTP; Thu, 2 Oct 2014 21:32:56 -0700 (PDT) In-Reply-To: <542E221F.1010303@eggo.org> References: <542DFCCA.7080708@eggo.org> <542E1267.1000208@eggo.org> <542E221F.1010303@eggo.org> Date: Thu, 2 Oct 2014 21:32:56 -0700 Message-ID: From: Dave Taht To: "Eric S. Johansson" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: =?UTF-8?Q?Joel_Wir=C4=81mu_Pauling?= , cerowrt-devel Subject: Re: [Cerowrt-devel] vpn fw question X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2014 04:33:25 -0000 If for example, you can coax openvpn to name it's tunnel device se01, the existing firewall rules using the s+ pattern match will automagically pick it up. I've kind of wanted the same feature for vlans but never figured out how to turn a se00.2 into a gw02. On Thu, Oct 2, 2014 at 9:12 PM, Eric S. Johansson wrote: > > On 10/2/2014 11:38 PM, Dave Taht wrote: >> >> Personally I find the output of >> >> ip route show >> >> to be much more readable and usable nowadays. > > > you are quite right. It is. thank you for the reminder to kill off old > habits and build a new old habit. best way to look at ipv6, also. > >> Ideally you should be able to shrink that 10.43 network into a single >> 10.43.0.0/20 route. > > that is my plan when I replace the firewall in the main office. There is = a > lot of Cruft in the old firewall including multiple holes for things peop= le > "used to do" but they don't dare close them because they might have to do > them again. I wish IP cop was sufficiently sophisticated for this purpose > but I think the UI gotten rather crufty since I last worked on it. > > You see, I work in the land of myth and magic. A little bit of Hollywood > right here in Boston. > > and WTH is this? > 172.30.42.0 0.0.0.0 255.255.255.0 ! 0 0 0 = * > >> That is what is called a "covering route". The interfaces in cerowrt are >> all /27s out of a single /24. Just as you could just do a 10.43.0.0/20 >> route >> instead of the 16 10.43 routes above. > > > I've got to learn Lua and how to debug in this environment better. I shou= ld > probably explain. It is generally simplest to run a x86 vm of openwrt. > I was one of the founding members of the IPCop firewall. Very cool! > We put a lot of energy into making it simple and easy to use so that it w= as > harder to make mistakes. I apologize in advance if I offend anyone but th= e > current UI for Cerowrt/openwrt is not shaped by workflow but by the need = to > expose everything. Oh no. A lot of the complexity in cerowrt is just there to make sure that complex setups can work. I care a lot about exposing appropriate functionality, rou= ting in an IoT world, as one example, not one whit about the gui stuff. The luci part of openwrt is sorely in need of more bodies. There is an attempt to rewrite the gui in more javascript in luci2. the openwireless.org folk are doing their own gui for cero, and realizing t= hat the 80/20 rule applies, but it's a different 20 for every user. See their mailing list and codebase for details. Every manufacturer dumbs down the gui so much these days that it's impossible to turn nat off on current netgear, dd-link, and apple products. I, personally, happen to really like naming interfaces after their function given the expressiveness of the pattern matching syntax, but it is an idea few have adopted.... > I'm hoping that I will be able to demonstrate what I mean by an error > resistant UI sometime over the next few months. In the meantime however, = I'm > going to try and learn enough so I can be useful fixing small bugs and > reducing chaos enhancers in tools like uci. The successor to BB is called chaos calmer. I suggest joining the relevant #openwrt-devel and #bufferbloat channels. > > And I just saw your other mail about BCP 38. What is it? The answer to dns amplification attacks in particular. http://tools.ietf.org/html/bcp38 https://www.youtube.com/watch?v=3D9-StM3Zfv6o&feature=3Dyoutu.be&list=3DPLS= nVjSuzLJcxbiilGE421Zx7Wk3Wez8NS > > --- eric > > --=20 Dave T=C3=A4ht https://www.bufferbloat.net/projects/make-wifi-fast