Jump to content
Not connected, Your IP: 216.73.216.222
AirVPN
qwortz

allowprivatenetwork only allows from Class A to Class A, B to B and C to C

By qwortz, ... in General & Suggestions

Recommended Posts

qwortz    0

qwortz
Posted ...

hi,
I am using bluetit with allowprivatenetwork=yes. In nft this creates the Input rules, with according Output rules: 

              ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 counter packets 4359261 bytes 100522180956 accept
              ip saddr 169.254.0.0/16 ip daddr 169.254.0.0/16 counter packets 0 bytes 0 accept
              ip saddr 10.0.0.0/8 ip daddr 10.0.0.0/8 counter packets 1101 bytes 115928 accept
              ip saddr 172.16.0.0/12 ip daddr 172.16.0.0/12 counter packets 0 bytes 0 accept
but I am coming from a vpn-endpoint on 10.0.0.0/8 and cant login to my server on the 192.168.0.0/16 with those rules. 

Could you please allow connections from all private LANs to all private LANs? Fixing this with scripts in the systemd-unitfile is a bit annoying.

Thanks :)


 

Share this post

Link to post

Staff    10232

Staff
Posted ...
@qwortz

Hello!

Well, allowing IP forwarding between different subnets could be deemed as beyond the scope of the allowprivatenetwork directive and could be criticized as a source of hazard. We will consider the matter carefully.

Kind regards
 

Share this post

Link to post

qwortz    0

qwortz
Posted ... (edited)

But you allow IP forwarding from every i.e. 10.x.x.x  subnet to any other. The classes are just numbers and have no technical differentiation, I think enforcing this arbitrary seperation has no technical value (imo :) )

I see that the setting is supposed to allow local access (i.e. home network to a NAS)  by defining that you only have i.e. 192.168.x.x subnets in your "household", but this seems like an assumption on your part that does not add security. RFC1918 networks are not routed to the internet automatically, so allowing clients to connect to them does not bring any risks that they don´t have with your assumptions.

Edited ... by qwortz
more arguments

Share this post

Link to post

qwortz    0

qwortz
Posted ...

ideal would be allowing people to input an array of my home networks and allow sending between those. this would be more defined than the current way, more "secure" and flexible.

Share this post

Link to post

Staff    10232

Staff
Posted ...
3 hours ago, qwortz said:

But you allow IP forwarding from every i.e. 10.x.x.x  subnet to any other.


Hello!

No, do not get confused by the VPN subnet on the virtual interface. Thank you for your suggestions, they will be considered.

Kind regards
 

Share this post

Link to post

qwortz    0

qwortz
Posted ...

you take the one detail that is mistunderstandable (I ment any 10.x to any other 10.x via the "ip saddr 10.0.0.0/8 ip daddr 10.0.0.0/8 accept" rule). 

don´t get me wrong, thanks for your answer, but this sounds like a shut up and we won´t 🤐.

Hope you still got my points :) 

Thanks for the service!

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Go To Topic Listing
×
×
  • Create New...