access lists bug or design ?

mbrcomp · Post by **mbrcomp** » Tue Dec 15, 2015 8:09 am

In my test, if I "allow all" with priority 500, and "block all" with priority 1000, then everything gets blocked.
This contradicts the on-screen statement "smaller number has higher priority".
So it looks like the "block" operation always takes precedence over the "allow" one, and the number mechansim is irrelevant.

mbrcomp · Post by **mbrcomp** » Tue Dec 15, 2015 8:57 am

I have created separate VHUBs that push routes of 192.168.1.X/255.255.255.***255***/192.168.30.1 on the securenat, so that only a single host is routed for each vhub. I recreated the users on each vhub.

However, this can be manually overcome very simply by issuing a "route add 192.168.1.0 mask 255.255.255.0 192.168.30.1" command on windows, and disconnect/reconnect the VPN. Amateur hackers would be able to spot this, and I am trusting my vpn users won't.

Shortly, the access list/firewall works now is faulty or requires much work to do simple things, and probably, there is no firewall software that can integrate with softether.

Suggestions ?

1) Add "ranges" to IP's on access list dialog, in addition to the "IP Address/Mask" option used now
2) Make smaller number rules take precedence over bigger numbers (ie, allow all number 1 allows all even if block all number 500 exists)

Post by **thisjun** » Thu Dec 24, 2015 7:02 am

Please upload a screenshot of access list rule.

access lists bug or design ?

access lists bug or design ?

Re: access lists bug or design ?

Re: access lists bug or design ?