| 1 |
On Friday, October 31, 2014 11:47:50 AM Marc Joliet wrote: |
| 2 |
> Am Fri, 31 Oct 2014 07:52:54 +0100 |
| 3 |
> |
| 4 |
> schrieb "J. Roeleveld" <joost@××××××××.org>: |
| 5 |
> > On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote: |
| 6 |
> [...] |
| 7 |
> |
| 8 |
> > > Oh, and there are two powerline/dLAN adapters in between (the modem is |
| 9 |
> > > in |
| 10 |
> > > |
| 11 |
> > > the room next door), but direct connections between my computer and my |
| 12 |
> > > brother's always worked, and they've been reliable in general, so I |
| 13 |
> > > assume |
| 14 |
> > > that they're irrelevant here. |
| 15 |
> > |
| 16 |
> > Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you |
| 17 |
> > might keep getting a different result each time it tries to refresh. |
| 18 |
> |
| 19 |
> How so? You mean if the modem is directly connected to the powerline |
| 20 |
> adapter? I would be surprised if this were a problem in general, since |
| 21 |
> AFAIU they're ultimately just bridges as far as the network is concerned, |
| 22 |
> not to mention that they explicitly target home networks with multiple |
| 23 |
> devices. |
| 24 |
|
| 25 |
Actually, a HUB is a better comparison. |
| 26 |
All the powerline adapters all connect to the same network. Some you can set |
| 27 |
to a network-ID (think vlan) to limit this. |
| 28 |
|
| 29 |
The one time I played with one, I ended up seeing my neighbours NAS. |
| 30 |
|
| 31 |
> But in the end, it doesn't matter, since it's just for my desktop (which |
| 32 |
> doesn't have WLAN built-in); all other clients connect via WLAN. |
| 33 |
> |
| 34 |
> FWIW, I chose poewrline because it seemed like a better (and driverless!) |
| 35 |
> alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm |
| 36 |
> quite happy with it. |
| 37 |
|
| 38 |
If you can ensure that only 2 devices communicate, it's a valid replacement |
| 39 |
for a dedicated network cable. (If you accept the reduction in line-speed) |
| 40 |
|
| 41 |
> > > Furthermore, I found out the hard way that you *sometimes* need to |
| 42 |
> > > reboot |
| 43 |
> > > |
| 44 |
> > > the modem when connect a different client for the new client to get a |
| 45 |
> > > response from the DHCP server (I discovered this after wasting half a |
| 46 |
> > > day |
| 47 |
> > > trying to get our router to work, it would log timeouts during |
| 48 |
> > > DHCPDISCOVER). I didn't think it was the modem because when we first |
| 49 |
> > > got |
| 50 |
> > > it, I could switch cables around between my computer and my brother's |
| 51 |
> > > and |
| 52 |
> > > they would get their IP addresses without trouble. *sigh* |
| 53 |
> > |
| 54 |
> > That's a common flaw. These modems are designed with the idea that people |
| 55 |
> > only have 1 computer. Or at the very least put a router between the modem |
| 56 |
> > and whatever else they have. |
| 57 |
> > Please note, there is NO firewall on these modems and your machine is |
| 58 |
> > fully |
| 59 |
> > exposed to the internet. Unless you have your machine secured and all |
| 60 |
> > unused services disabled, you might as well assume your machine |
| 61 |
> > compromised. |
| 62 |
> Yes, I wasn't explicitly aware of this, but it makes sense, since AFAIU the |
| 63 |
> modem's job boils down to carrying the signal over the cable network and |
| 64 |
> (on a higher level) dialing in to the ISP and forwarding packets. I would |
| 65 |
> not really expect a firewall there. |
| 66 |
|
| 67 |
There isn't, usually. |
| 68 |
|
| 69 |
> > I once connected a fresh install directly to the modem. Only took 20 |
| 70 |
> > seconds to get owned. (This was about 9 years ago and Bind was running) |
| 71 |
> |
| 72 |
> Ouch. |
| 73 |
|
| 74 |
I was, to be honest, expecting it to be owned. (Just not this quick). |
| 75 |
It was done on purpose to see how long it would take. I pulled the network |
| 76 |
cable when the root-kit was being installed. Was interesting to see. |
| 77 |
|
| 78 |
> I just hope the Fritz!Box firewall is configured correctly, especially since |
| 79 |
> there doesn't appear to be a UI for it. Well, OK, there is, but it's not |
| 80 |
> very informative in that it doesn't tell me what rules (other than manually |
| 81 |
> entered ones) are currently in effect; all it explicitly says is that it |
| 82 |
> blocks NetBIOS packets. The only other thing that's bothered me about the |
| 83 |
> router is the factory default (directly after flashing the firmware) of |
| 84 |
> activating WPA2 *and* WPA (why?!). I turned off WPA as soon as I noticed. |
| 85 |
|
| 86 |
It will have NAT enabled, which blocks most incoming packets. As long as the |
| 87 |
router isn't owned, you should be ok. |
| 88 |
|
| 89 |
> Out of curiosity, I looked through the exported configuration file (looks |
| 90 |
> like JSON), and found entries that look like firewall rules, but don't |
| 91 |
> really know how they apply. It's less the rules themselves, though, than |
| 92 |
> the context, i.e., the rules are under "pppoefw" and "dslifaces", even |
| 93 |
> though the router uses neither PPPoE nor DSL (perhaps a sign that AVM's |
| 94 |
> software grows just as organically as everybody else's ;-) ). The one thing |
| 95 |
> I'm most curious about is what "lowinput", "highoutput", etc. mean, as |
| 96 |
> Google only found me other people asking the same question. |
| 97 |
|
| 98 |
Not familiar with those routers. Maybe someone with more knowledge can have a |
| 99 |
look at the config and shed some light. I would do a find/replace on the |
| 100 |
username and password you use to ensure that is masked before sending it to |
| 101 |
someone to investigate. |
| 102 |
|
| 103 |
> Anyway, it *looks* like it blocks everything from the internet by default |
| 104 |
> (except for "output-related" and "input-related", which I interpret to mean |
| 105 |
> responses to outgoing packets and... whatever "input-related" means), and |
| 106 |
> the manual seems to agree by implying that the firewall is for explicitly |
| 107 |
> opening ports. Also, I used the Heise "Netzwerk Check" and it reports no |
| 108 |
> problems, so I'm mostly relieved. |
| 109 |
|
| 110 |
Yes, that's a common setting. |
| 111 |
|
| 112 |
> > > - At the time there was no router, just the modem. We now have a |
| 113 |
> > > Fritz!Box |
| 114 |
> > > |
| 115 |
> > > 3270 with the most recent firmware, but we got it after I "solved" |
| 116 |
> > > this |
| 117 |
> > > problem. |
| 118 |
> > > |
| 119 |
> > > - I don't know whether we have an IP block or not; I suspect not. At |
| 120 |
> > > the |
| 121 |
> > > very least, we didn't make special arrangements to try and get one. |
| 122 |
> > |
| 123 |
> > Then assume not. Most, if not all, ISPs charge extra for this. (If they |
| 124 |
> > even offer it) |
| 125 |
> |
| 126 |
> That's what I thought :) . |
| 127 |
> |
| 128 |
> Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples) |
| 129 |
> directly and ask for his opinion. |
| 130 |
|
| 131 |
Oki, keep us updated. |
| 132 |
|
| 133 |
-- |
| 134 |
Joost |
Archives