Page 1 of 1
access lists bug or design ?
Posted: Tue Dec 15, 2015 8:09 am
by mbrcomp
In my test, if I "allow all" with priority 500, and "block all" with priority 1000, then everything gets blocked.
This contradicts the on-screen statement "smaller number has higher priority".
So it looks like the "block" operation always takes precedence over the "allow" one, and the number mechansim is irrelevant.
Re: access lists bug or design ?
Posted: Tue Dec 15, 2015 8:57 am
by mbrcomp
I have created separate VHUBs that push routes of 192.168.1.X/255.255.255.***255***/192.168.30.1 on the securenat, so that only a single host is routed for each vhub. I recreated the users on each vhub.
However, this can be manually overcome very simply by issuing a "route add 192.168.1.0 mask 255.255.255.0 192.168.30.1" command on windows, and disconnect/reconnect the VPN. Amateur hackers would be able to spot this, and I am trusting my vpn users won't.
Shortly, the access list/firewall works now is faulty or requires much work to do simple things, and probably, there is no firewall software that can integrate with softether.
Suggestions ?
1) Add "ranges" to IP's on access list dialog, in addition to the "IP Address/Mask" option used now
2) Make smaller number rules take precedence over bigger numbers (ie, allow all number 1 allows all even if block all number 500 exists)
Re: access lists bug or design ?
Posted: Thu Dec 24, 2015 7:02 am
by thisjun
Please upload a screenshot of access list rule.