lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <925A849792280C4E80C5461017A4B8A2A048F7@mail733.InfraSupportEtc.com>
Date:	Thu, 1 Dec 2011 08:10:45 -0600
From:	"Greg Scott" <GregScott@...rasupport.com>
To:	"David Lamparter" <equinox@...c24.net>
Cc:	<netdev@...r.kernel.org>
Subject: RE: ebtables on a stick

Oh - woops:

>> IP 1.2.115.157, default gw 1.2.115.146.
>
> Note that since the IP should be 1.2.115.157/_32_, it doesn't make any
> difference whether you use 1.2.115.146 for the defgw or 192.168.10.1,
> since both are out-of-subnet.

Right this second, the whole thing really is 1.2.115.157/28, or mask
255.255.255.240.  So from that host's point of view the default gw makes
sense.  You really want me to set that up as a /32?  I don't get it.  
.
.
.
>> As a troubleshooting step, I also put in:
>> /sbin/ip addr add 1.2.115.146/28 dev eth1; so now both eth0 and eth1
have the same IP Address.  This feels >ugly and I think I'll take it out
because it made no difference.  
>
>I agree, please remove.

I put it in last night because this was the "trick" I had to do years
ago when I used proxy ARP and that scary switch turning it on for
everything.  Btw, there are still write-ups out there advocating that
approach.
.
.
.
>> $IPTABLES -A FORWARD -s 1.2.115.157 -j ACCEPT
>
> Where is the reverse rule of this? -d 1.2.115.157 -j ACCEPT
>
>> $IPTABLES -A FORWARD -s 192.168.10.0/24 -d 1.2.115.157 -j ACCEPT
>> $IPTABLES -A FORWARD -p TCP --dport 1720 -d $ADR -j allowed
>> $IPTABLES -A FORWARD -p TCP -s $MGMT_IP -d $ADR -j allowed
>
>(what's $ADR?)

I was having trouble keeping my eyes open last night. $ADR ends up being
1.2.115.157.  That's the reverse rule you were looking for.  And then
$MGMT_IP is the rule that lets me in no matter what protocol/port.
Allowed is a user defined chain that checks for the right TCP handshake.
I should probably change the $MGMT_IP rule to just ACCEPT.  This won't
matter though - I did my ping tests last night physically sitting in
front of that XP host and trying to ping google.  

> Firewall rules?

There are a bunch of 'em to handle a website and a few ftp sites and a
PPTP VPN and the H.323 stuff I'm trying to hook back up.  I have a
little script named "allow-all-with-nat" that turns all the filtering
rules off, leaving all the NAT rules in place.  Running that makes no
difference.  The last time I posted a whole ruleset I was roundly
chastised because it was too complicated and we went off into a rathole
about H.323.  

- Greg

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ