10 May
2017
10 May
'17
7:44 a.m.
All,
I need to ask if any of the following have been noticed or by anyone before.
As I try to test a few things today, I:
- cannot forward IPENCAP traffic to another LAN destination while
running ampr-ripd 1.16 on my router
- cannot block IPENCAP traffic whatsoever at my WAN while running
ampr-ripd 1.16 on my router
- cannot block receipt of RIP44 packets from AMPRGW running ampr-ripd
1.16 on my router
Procedure:
When setting up LEDE:
-I observed that I no longer had firewall hits for RIP44 from AMPRGW
- I removed the rule, and I still receive routes
Testing receipt of MACs on tunl0 today:
- I removed my rule allowing -p 4 from the IPSET of our GW IPs
- I made a port forward rule for -p 4 to a LAN machine I setup with a
tunl0 of 44.60.44.2
- I set up routes to use tunl0
- I pinged
- Using Wireshark I never received traffic
- My router saw no hits
- I connected to http://44.60.44.10 to perform a traceroute to 8.8.8.8
- It still worked, even though I have no firewall rule!
- the device is still in this configuration
- and I noticed one 'leaked' packet that never made it to my test tunl0
interface
- I notice that ampr-ripd 1.16 listens on protocol 4 instead of udp/520
as version 1.13 did
BUG:
It appears my firewall rules regarding IPENCAP/A.K.A. 'dev tunl0'
packets - after upgrading from 1.13 to 1.16 are infective.
Need to test:
- If I configure a valid 44 IP on my router's tunl0, I assume ALL
iptables rules for it COULD POSSIBLY be ineffective (since the RIP44
rule is)
- If I can send routes in this configuration
- If I can receive routes from someone else (with correct PW, of course)
- If I receive IPENCAP packets from a non GW (since I have no method of
it blocking, except if it exists ampr-ripd.c). Note - I'm not requesting
this feature
I will test later today.
- Lynwood
KB3VWG