1 |
Am Fri, 31 Oct 2014 07:52:54 +0100 |
2 |
schrieb "J. Roeleveld" <joost@××××××××.org>: |
3 |
|
4 |
> On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote: |
5 |
[...] |
6 |
> > Oh, and there are two powerline/dLAN adapters in between (the modem is in |
7 |
> > the room next door), but direct connections between my computer and my |
8 |
> > brother's always worked, and they've been reliable in general, so I assume |
9 |
> > that they're irrelevant here. |
10 |
> |
11 |
> Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you |
12 |
> might keep getting a different result each time it tries to refresh. |
13 |
|
14 |
How so? You mean if the modem is directly connected to the powerline adapter? |
15 |
I would be surprised if this were a problem in general, since AFAIU they're |
16 |
ultimately just bridges as far as the network is concerned, not to mention |
17 |
that they explicitly target home networks with multiple devices. |
18 |
|
19 |
But in the end, it doesn't matter, since it's just for my desktop (which |
20 |
doesn't have WLAN built-in); all other clients connect via WLAN. |
21 |
|
22 |
FWIW, I chose poewrline because it seemed like a better (and driverless!) |
23 |
alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm quite |
24 |
happy with it. |
25 |
|
26 |
> > Furthermore, I found out the hard way that you *sometimes* need to reboot |
27 |
> > the modem when connect a different client for the new client to get a |
28 |
> > response from the DHCP server (I discovered this after wasting half a day |
29 |
> > trying to get our router to work, it would log timeouts during |
30 |
> > DHCPDISCOVER). I didn't think it was the modem because when we first got |
31 |
> > it, I could switch cables around between my computer and my brother's and |
32 |
> > they would get their IP addresses without trouble. *sigh* |
33 |
> |
34 |
> That's a common flaw. These modems are designed with the idea that people only |
35 |
> have 1 computer. Or at the very least put a router between the modem and |
36 |
> whatever else they have. |
37 |
> Please note, there is NO firewall on these modems and your machine is fully |
38 |
> exposed to the internet. Unless you have your machine secured and all unused |
39 |
> services disabled, you might as well assume your machine compromised. |
40 |
|
41 |
Yes, I wasn't explicitly aware of this, but it makes sense, since AFAIU the |
42 |
modem's job boils down to carrying the signal over the cable network and |
43 |
(on a higher level) dialing in to the ISP and forwarding packets. I would not |
44 |
really expect a firewall there. |
45 |
|
46 |
> I once connected a fresh install directly to the modem. Only took 20 seconds |
47 |
> to get owned. (This was about 9 years ago and Bind was running) |
48 |
|
49 |
Ouch. |
50 |
|
51 |
I just hope the Fritz!Box firewall is configured correctly, especially since |
52 |
there doesn't appear to be a UI for it. Well, OK, there is, but it's not very |
53 |
informative in that it doesn't tell me what rules (other than manually entered |
54 |
ones) are currently in effect; all it explicitly says is that it blocks NetBIOS |
55 |
packets. The only other thing that's bothered me about the router is the |
56 |
factory default (directly after flashing the firmware) of activating WPA2 *and* |
57 |
WPA (why?!). I turned off WPA as soon as I noticed. |
58 |
|
59 |
Out of curiosity, I looked through the exported configuration file (looks like |
60 |
JSON), and found entries that look like firewall rules, but don't really know |
61 |
how they apply. It's less the rules themselves, though, than the context, i.e., |
62 |
the rules are under "pppoefw" and "dslifaces", even though the router uses |
63 |
neither PPPoE nor DSL (perhaps a sign that AVM's software grows just as |
64 |
organically as everybody else's ;-) ). The one thing I'm most curious about is |
65 |
what "lowinput", "highoutput", etc. mean, as Google only found me other people |
66 |
asking the same question. |
67 |
|
68 |
Anyway, it *looks* like it blocks everything from the internet by default |
69 |
(except for "output-related" and "input-related", which I interpret to mean |
70 |
responses to outgoing packets and... whatever "input-related" means), and the |
71 |
manual seems to agree by implying that the firewall is for explicitly opening |
72 |
ports. Also, I used the Heise "Netzwerk Check" and it reports no problems, so |
73 |
I'm mostly relieved. |
74 |
|
75 |
> > - At the time there was no router, just the modem. We now have a Fritz!Box |
76 |
> > 3270 with the most recent firmware, but we got it after I "solved" this |
77 |
> > problem. |
78 |
> > |
79 |
> > - I don't know whether we have an IP block or not; I suspect not. At the |
80 |
> > very least, we didn't make special arrangements to try and get one. |
81 |
> |
82 |
> Then assume not. Most, if not all, ISPs charge extra for this. (If they even |
83 |
> offer it) |
84 |
|
85 |
That's what I thought :) . |
86 |
|
87 |
Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples) directly |
88 |
and ask for his opinion. |
89 |
|
90 |
-- |
91 |
Marc Joliet |
92 |
-- |
93 |
"People who think they know everything really annoy those of us who know we |
94 |
don't" - Bjarne Stroustrup |