1 |
Am Fri, 31 Oct 2014 12:16:04 +0100 |
2 |
schrieb "J. Roeleveld" <joost@××××××××.org>: |
3 |
|
4 |
> On Friday, October 31, 2014 11:47:50 AM Marc Joliet wrote: |
5 |
> > Am Fri, 31 Oct 2014 07:52:54 +0100 |
6 |
> > |
7 |
> > schrieb "J. Roeleveld" <joost@××××××××.org>: |
8 |
> > > On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote: |
9 |
> > [...] |
10 |
> > |
11 |
> > > > Oh, and there are two powerline/dLAN adapters in between (the modem is |
12 |
> > > > in |
13 |
> > > > |
14 |
> > > > the room next door), but direct connections between my computer and my |
15 |
> > > > brother's always worked, and they've been reliable in general, so I |
16 |
> > > > assume |
17 |
> > > > that they're irrelevant here. |
18 |
> > > |
19 |
> > > Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you |
20 |
> > > might keep getting a different result each time it tries to refresh. |
21 |
> > |
22 |
> > How so? You mean if the modem is directly connected to the powerline |
23 |
> > adapter? I would be surprised if this were a problem in general, since |
24 |
> > AFAIU they're ultimately just bridges as far as the network is concerned, |
25 |
> > not to mention that they explicitly target home networks with multiple |
26 |
> > devices. |
27 |
> |
28 |
> Actually, a HUB is a better comparison. |
29 |
> All the powerline adapters all connect to the same network. Some you can set |
30 |
> to a network-ID (think vlan) to limit this. |
31 |
|
32 |
Also, AFAICS, all newer ones support encryption (AES128 in my case), where you |
33 |
pair the devices, for which you need physical access to press the necessary |
34 |
buttons. This can be used to similar effect IIUC. No clue on cross-vendor |
35 |
compatibility, though. However, encryption was mainly targeted at solving the |
36 |
next problem: |
37 |
|
38 |
> The one time I played with one, I ended up seeing my neighbours NAS. |
39 |
|
40 |
Yeah, that problem gets mentioned a lot. You can access every other |
41 |
(compatible) powerline adapter on the same electric network. Adapters on |
42 |
different phases could have trouble communicating, I believe, and cross-talk |
43 |
between cables can lead to data leaking into another network (but my knowledge |
44 |
on things electric is reaching its end). In my case, our apartment has an |
45 |
electric meter that isolates our apartment from the others, so we're fine |
46 |
(plus, the adapters use encryption as mentioned above) |
47 |
|
48 |
> > But in the end, it doesn't matter, since it's just for my desktop (which |
49 |
> > doesn't have WLAN built-in); all other clients connect via WLAN. |
50 |
> > |
51 |
> > FWIW, I chose poewrline because it seemed like a better (and driverless!) |
52 |
> > alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm |
53 |
> > quite happy with it. |
54 |
> |
55 |
> If you can ensure that only 2 devices communicate, it's a valid replacement |
56 |
> for a dedicated network cable. |
57 |
|
58 |
I didn't explicitly mention this, but the problem is that the router and modem |
59 |
are in my brothers room (four room shared students apartment, plus bathroom and |
60 |
kitchen). Now, I'm not about to drag a cable out of my room, across the hall, |
61 |
and into my brother's room, never mind that neither of us could close our doors |
62 |
anymore without unplugging the cable and dragging it back. |
63 |
|
64 |
So the alternative would have been to teach my desktop WLAN, which would've been |
65 |
slower unless I could find something for PCI(e) or USB3 that works with Linux, |
66 |
*without* me having to check out some git repository and manually compile |
67 |
things in the hope that it works. The first USB3 WLAN adapter I found would've |
68 |
lead to that, so I made a snap decision in favour of powerline. It also didn't |
69 |
hurt that I was curious about it and wanted to try it out :) . |
70 |
|
71 |
(I actually had to (unexpectedly) to do that with my wireless keyboard. Now |
72 |
there's app-misc/solaar, thankfully, although why Logitech couldn't just stick |
73 |
with infrared...) |
74 |
|
75 |
> (If you accept the reduction in line-speed) |
76 |
|
77 |
How long ago was this? I read that all modern devices incorporate various |
78 |
filters to mitigate disturbances coming from other devices and, thus, that they |
79 |
perform much better (or at least more robustly) than previous generations |
80 |
(they also *cause* less disturbances). Either way, I can saturate our 16 MiB/s |
81 |
internet connection with enough parallel downloads (or with a fast enough |
82 |
server, such as with speedtest.net), and LAN performance is satisfactory. I |
83 |
suspect one limiting factor is that the powerline adapters only have Fast |
84 |
Ethernet connections (of course, so does the router, so it doesn't matter). |
85 |
|
86 |
[...] |
87 |
> > > I once connected a fresh install directly to the modem. Only took 20 |
88 |
> > > seconds to get owned. (This was about 9 years ago and Bind was running) |
89 |
> > |
90 |
> > Ouch. |
91 |
> |
92 |
> I was, to be honest, expecting it to be owned. (Just not this quick). |
93 |
> It was done on purpose to see how long it would take. I pulled the network |
94 |
> cable when the root-kit was being installed. Was interesting to see. |
95 |
|
96 |
I bet :) ! |
97 |
|
98 |
> > I just hope the Fritz!Box firewall is configured correctly, especially since |
99 |
> > there doesn't appear to be a UI for it. Well, OK, there is, but it's not |
100 |
> > very informative in that it doesn't tell me what rules (other than manually |
101 |
> > entered ones) are currently in effect; all it explicitly says is that it |
102 |
> > blocks NetBIOS packets. The only other thing that's bothered me about the |
103 |
> > router is the factory default (directly after flashing the firmware) of |
104 |
> > activating WPA2 *and* WPA (why?!). I turned off WPA as soon as I noticed. |
105 |
> |
106 |
> It will have NAT enabled, which blocks most incoming packets. As long as the |
107 |
> router isn't owned, you should be ok. |
108 |
|
109 |
Right, I *expected* that, but it's nice to be able to verify it. |
110 |
|
111 |
> > Out of curiosity, I looked through the exported configuration file (looks |
112 |
> > like JSON), and found entries that look like firewall rules, but don't |
113 |
> > really know how they apply. It's less the rules themselves, though, than |
114 |
> > the context, i.e., the rules are under "pppoefw" and "dslifaces", even |
115 |
> > though the router uses neither PPPoE nor DSL (perhaps a sign that AVM's |
116 |
> > software grows just as organically as everybody else's ;-) ). The one thing |
117 |
> > I'm most curious about is what "lowinput", "highoutput", etc. mean, as |
118 |
> > Google only found me other people asking the same question. |
119 |
> |
120 |
> Not familiar with those routers. Maybe someone with more knowledge can have a |
121 |
> look at the config and shed some light. I would do a find/replace on the |
122 |
> username and password you use to ensure that is masked before sending it to |
123 |
> someone to investigate. |
124 |
|
125 |
It's not really important, again, I just like to be able to verify it, although |
126 |
right now I'm probably just being unnecessarily paranoid. AVM's routers have a |
127 |
good reputation (which is why we got one), and I'm inclined to trust them unless |
128 |
given reason to. |
129 |
|
130 |
> > Anyway, it *looks* like it blocks everything from the internet by default |
131 |
> > (except for "output-related" and "input-related", which I interpret to mean |
132 |
> > responses to outgoing packets and... whatever "input-related" means), and |
133 |
> > the manual seems to agree by implying that the firewall is for explicitly |
134 |
> > opening ports. Also, I used the Heise "Netzwerk Check" and it reports no |
135 |
> > problems, so I'm mostly relieved. |
136 |
> |
137 |
> Yes, that's a common setting. |
138 |
|
139 |
Again, me being overly focused on this, with a dose of paranoia. I would be |
140 |
surprised if the firewall were set up differently. |
141 |
|
142 |
[...] |
143 |
> > Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples) |
144 |
> > directly and ask for his opinion. |
145 |
> |
146 |
> Oki, keep us updated. |
147 |
|
148 |
Will do. |
149 |
|
150 |
-- |
151 |
Marc Joliet |
152 |
-- |
153 |
"People who think they know everything really annoy those of us who know we |
154 |
don't" - Bjarne Stroustrup |