In my test, if I "allow all" with priority 500, and "block all" with priority 1000, then everything gets blocked.
This contradicts the on-screen statement "smaller number has higher priority".
So it looks like the "block" operation always takes precedence over the "allow" one, and the number mechansim is irrelevant.
access lists bug or design ?
-
- Posts: 25
- Joined: Tue Dec 15, 2015 7:45 am
Re: access lists bug or design ?
I have created separate VHUBs that push routes of 192.168.1.X/255.255.255.***255***/192.168.30.1 on the securenat, so that only a single host is routed for each vhub. I recreated the users on each vhub.
However, this can be manually overcome very simply by issuing a "route add 192.168.1.0 mask 255.255.255.0 192.168.30.1" command on windows, and disconnect/reconnect the VPN. Amateur hackers would be able to spot this, and I am trusting my vpn users won't.
Shortly, the access list/firewall works now is faulty or requires much work to do simple things, and probably, there is no firewall software that can integrate with softether.
Suggestions ?
1) Add "ranges" to IP's on access list dialog, in addition to the "IP Address/Mask" option used now
2) Make smaller number rules take precedence over bigger numbers (ie, allow all number 1 allows all even if block all number 500 exists)
However, this can be manually overcome very simply by issuing a "route add 192.168.1.0 mask 255.255.255.0 192.168.30.1" command on windows, and disconnect/reconnect the VPN. Amateur hackers would be able to spot this, and I am trusting my vpn users won't.
Shortly, the access list/firewall works now is faulty or requires much work to do simple things, and probably, there is no firewall software that can integrate with softether.
Suggestions ?
1) Add "ranges" to IP's on access list dialog, in addition to the "IP Address/Mask" option used now
2) Make smaller number rules take precedence over bigger numbers (ie, allow all number 1 allows all even if block all number 500 exists)
-
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: access lists bug or design ?
Please upload a screenshot of access list rule.