| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <925A849792280C4E80C5461017A4B8A2A048F9@mail733.InfraSupportEtc.com> Date: Thu, 1 Dec 2011 09:29:59 -0600 From: "Greg Scott" <GregScott@...rasupport.com> To: "David Lamparter" <equinox@...c24.net> Cc: <netdev@...r.kernel.org> Subject: RE: ebtables on a stick > That /32 just means "on my ethernet segment i'm alone with that > address". If the windows box has /28 as subnet mask, it will try to ARP > for other hosts from that subnet, instead of going through the router. > So, that'll break connectivity to them... I never did get this. Right now, it's a test Windows box, but eventually it will be something else. It's connected to eth1 and needs to go through the router - right - so how does it find its gateway at 1.2.115.146 on eth0? And setting the mask to /32 makes it even stranger. As long as I can get to it - why don't I try setting it to /32 and let's see what happens. Worst case, I have to jump in the car I guess. Well, Windows won't allow a mask of 255.255.255.255. I wonder how the real stuff I'll eventually connect at that IP Address will behave with a /32 mask? Digging a little deeper... >From Windows, arp -a shows both 1.2.114.146 and 192.168.10.1 with a MAC Address of 00-0d-88-31-d8-24. Looking on the firewall with ip link show - sure enough, that's the MAC Address of eth1. I wonder what happens with some of the stuff I'm NATing? There's a website at public IP 1.2.115.151, private 192.168.10.8. Pinging 1.2.115.151 and then arp -a; it shows the firewall eth1 MAC Address. Makes sense - it is NATed after all. Launching IE from that host - nope - that NATed website doesn't come up. But it doesn't time out, it errors right away, suggesting it was rejected instead of dropped. Well, OK - that's probably because I don't have any firewall rules to handle this case (and probably don't need any because this will never happen in production), so it went right to the firewall itself and was properly rejected. But the eventual box at this address will probably have its own built-in management website. I wonder what happens with telnets on port 80 and 443 to it? They both work; the firewall forwards it and the Windows box rejects it. So when there's a real website sitting there, it should be OK. So the /28 mask feels OK so far... - Greg -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists