| 1 |
On Wed, Mar 29, 2017 at 11:28 AM, Kai Krakow <hurikhan77@×××××.com> wrote: |
| 2 |
> Am Wed, 29 Mar 2017 04:52:08 -0700 |
| 3 |
> schrieb Jorge Almeida <jjalmeida@×××××.com>: |
| 4 |
> |
| 5 |
>> On Wed, Mar 29, 2017 at 12:45 AM, Neil Bothwick <neil@××××××××××.uk> |
| 6 |
>> wrote: |
| 7 |
>> > On Tue, 28 Mar 2017 22:52:25 -0700, Jorge Almeida wrote: |
| 8 |
>> > |
| 9 |
>> |
| 10 |
>> > |
| 11 |
> > |
| 12 |
>> > |
| 13 |
>> The ISP provided router is officially managed (whatever this means) by |
| 14 |
>> them. As to privacy, I know a packet is visible once it leaves the |
| 15 |
>> router via Wan port. What I worry a bit is about the possibility of |
| 16 |
>> foul play towards the home network. The computers are firewalled via |
| 17 |
>> iptables, but accept connections from 192.168.... What prevents a |
| 18 |
>> hacked router of impersonating a local origin? |
| 19 |
> |
| 20 |
> Block packets originating from the router MAC address and that don't |
| 21 |
> belong to a known connection. Then deploy a managed switch that can do |
| 22 |
> MAC address filtering so it allows only the one MAC address on the |
| 23 |
> router port. This should be safe enough. It would be difficult to get |
| 24 |
> around such a setup. To be even more safe, use VLAN and exclude all |
| 25 |
> your computers from the management port. |
| 26 |
> |
| 27 |
> This, however, doesn't prevent tampering with packets on their way |
| 28 |
> through the router. You could use VPN and place the tunnel endpoints |
| 29 |
> only on trusted routers. That way, your ISP only relays VPN traffic, |
| 30 |
> and ensures the transfer networks below are only used for VPN and your |
| 31 |
> machines accept nothing else. |
| 32 |
> |
| 33 |
> -- |
| 34 |
Assuming that the router speed issue has no solution, I think I'll |
| 35 |
adopt a different setup: All computers (just 3) with 2 network cards; |
| 36 |
one card connected to the ISP router, rejecting all incoming packets |
| 37 |
that are not part of an established connection; the other card |
| 38 |
connected to one of my routers, accepting local connections |
| 39 |
(different subnet from the one associated with the ISP router; |
| 40 |
computers with static IPs, for good measure); This secondary router |
| 41 |
has the Wan port disconnected (is this the same as a switch?). This |
| 42 |
should allow the home computers to communicate with each other without |
| 43 |
any outside interference. Am I missing something? |
| 44 |
|
| 45 |
Regards |
| 46 |
|
| 47 |
Jorge |
Archives