Packet Filtering

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
roxy
Posts: 25
Joined: Sun Feb 21, 2016 10:34 am

Packet Filtering

Post by roxy » Sun Feb 21, 2016 5:20 pm

The Packet Filtering Access List SoftEther provides is a big mechanism applied on Layer-2 connection. So one can benefit from Layer-2 having a robust security mechanism to use to Allow/Drop certain packets. Using the Access List as is now however is not so practical nor very intuitive. I configured a priority 1000 Drop All Rule (user and group empty, checked all other boxes for all ip all mac all) but any other Rule before 1000 (from 1 to 999) does not take precedence or does not get matched, so with a generic Drap All Rule no other allow rule works. If I add a Drop Rule more specific (ie a Drop All Rule specifying a User or Group) any Rule before 1000 for the some User or Group works. This is by design ? Also, can you think to add a protocols group, so on the some Virtual Hub one can Drop All by default and Group together Allow Rules that can be assigned to a group of users o single users ? There is another method not to have lot of Rules difficult to maintain ?

Best Regards

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Packet Filtering

Post by thisjun » Fri Mar 25, 2016 7:13 am

I think you may make mistake something.
Please show rule which you configured.

roxy
Posts: 25
Joined: Sun Feb 21, 2016 10:34 am

Re: Packet Filtering

Post by roxy » Fri Mar 25, 2016 1:47 pm

As you can see in the screenshot, I can make to work drop any packet non specifically allowed only using group. If I enable the last 2 rules without group specified in the rule (more generalized drop for all connection for IPv4 and IPv6), nothing is allowed also if these are the last 2 rules evaluated.
You do not have the required permissions to view the files attached to this post.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Packet Filtering

Post by thisjun » Fri Apr 15, 2016 8:06 am

I want see 'contents' column.
Please re-upload a screen shot.

roxy
Posts: 25
Joined: Sun Feb 21, 2016 10:34 am

Re: Packet Filtering

Post by roxy » Mon Apr 18, 2016 1:58 pm

I cannot make larger, windows cannot be resized. In attach right part with contentscolumn
You do not have the required permissions to view the files attached to this post.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Packet Filtering

Post by thisjun » Tue May 10, 2016 7:02 am

You allow packet from client to server.
However you don't allow opposite direction.

roxy
Posts: 25
Joined: Sun Feb 21, 2016 10:34 am

Re: Packet Filtering

Post by roxy » Tue May 24, 2016 10:52 am

I do not think this is a solution. Drop All Rule that works is the same as that that does not work, the only difference is that in the working Drop All rule we specified User or Group, generic Drop All rules seems to take precedence also if there are previous more specific rules (in which one specify User or Group).

Also, rules works well, we do not specify back direction as we think packet filtering is Stateful, otherwise it would not work no rules.

Beeza
Posts: 2
Joined: Sat Nov 11, 2017 11:28 am

Re: Packet Filtering

Post by Beeza » Sat Nov 11, 2017 11:39 am

Did anyone get anywhere with this?
I am trying to do the simplest thing, allow just one port, and reject everything else.
Screen shot attached shows just two rules - allow port 3306, reject everything else.
But this does not work - the 'reject everything' always rejects my packets.
I know my 'allow' is correct - if I disable the 'reject all', everything works. If I then change my 3306 rule to a 'reject' - then it rejects.
But if I have 'allow 3306' followed by 'reject all' then my 3306 packets get rejected.

Any help much appreciated.
You do not have the required permissions to view the files attached to this post.

Beeza
Posts: 2
Joined: Sat Nov 11, 2017 11:28 am

Re: Packet Filtering

Post by Beeza » Mon Nov 13, 2017 5:02 pm

OK just to confirm what Roxy said in the original post back in 2016.

I need to add a group selection to both my Pass and my Discard rules. Then it works as I expect.

If I have a group my Pass rule, but no group on the 'discard' all rule - then the Discard All rule applies.

This is not ideal and is as Roxy said 'not intuitive'. I think that is putting it mildly.

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: Packet Filtering

Post by cedar » Tue Nov 14, 2017 8:47 am

You should just add a reversal route for returning packet.

(Of course, it works even in your way to allow all users not joining the group.)

Post Reply