[Cerowrt-devel] cerowrt-3.10.32-12 released
Sebastian Moeller
moeller0 at gmx.de
Fri Mar 21 19:04:58 EDT 2014
On Mar 21, 2014, at 23:53 , Toke Høiland-Jørgensen <toke at toke.dk> wrote:
> Sebastian Moeller <moeller0 at gmx.de> writes:
>
>> I did not notice this even though my primary router furnishes
>> cerowrt with 192.168.2.104 (but no additional subnets in there), the
>> internet works and I can reach machines in the primary subnet just
>> fine, so nothing to see here ;) Greart work Dave and Toke.
>
> Yay!
>
> Just to confirm:
>
> 1. What is the output of `ipset list` on the router?
root at nacktmulle:~# ipset list
Name: bcp38-ipv4
Type: hash:net
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8856
References: 2
Members:
127.0.0.0/8
192.168.2.0/24 nomatch
172.16.0.0/12
10.0.0.0/8
192.0.2.0/24
169.254.0.0/16
240.0.0.0/4
198.51.100.0/24
203.0.113.0/24
0.0.0.0/8
192.168.0.0/16
root at nacktmulle:~#
>
> 2. What happens if you ping 192.168.1.1 (or some other address in a
> private subnet, but not configured on any of your interfaces)?
root at nacktmulle:~# ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
ping: sendto: Operation not permitted
For comparison the primary router:
root at nacktmulle:~# ping -c 1 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: seq=0 ttl=64 time=0.849 ms
--- 192.168.2.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.849/0.849/0.849 ms
root at nacktmulle:~#
And from my macbook on SW00:
hms-beagle:~ moeller$ ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
92 bytes from 172.30.42.65: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 d987 0 0000 3f 01 0a0a 172.30.42.80 192.168.1.1
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
hms-beagle:~ moeller$ ping -c 1 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=63 time=3.993 ms
--- 192.168.2.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 3.993/3.993/3.993/0.000 ms
hms-beagle:~ moeller$
After white-listing 192.168.1.0/24
hms-beagle:~ moeller$ ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
hms-beagle:~ moeller$
After deletion of the exemption it is back again to "Destination Net Unreachable"
It just seems to work, and well at that.
>
>> I guess having an easy way to set exceptions is really a good
>> solution.
>
> There's a BCP38 tab in the firewall config that allows you to input
> subnet exceptions manually if needed. :)
I guess I should have been clearer in my comment; what I wanted to say is that it is great that you actually offer this ;). (Tiny note: if there is only one member in the white-list the GUI only shows the add button and no delete button, just deleting the contents does work though)
Best Regards
Sebastian
>
> -Toke
More information about the Cerowrt-devel
mailing list