1 |
On Friday, October 31, 2014 11:47:50 AM Marc Joliet wrote: |
2 |
> Am Fri, 31 Oct 2014 07:52:54 +0100 |
3 |
> |
4 |
> schrieb "J. Roeleveld" <joost@××××××××.org>: |
5 |
> > On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote: |
6 |
> [...] |
7 |
> |
8 |
> > > Oh, and there are two powerline/dLAN adapters in between (the modem is |
9 |
> > > in |
10 |
> > > |
11 |
> > > the room next door), but direct connections between my computer and my |
12 |
> > > brother's always worked, and they've been reliable in general, so I |
13 |
> > > assume |
14 |
> > > that they're irrelevant here. |
15 |
> > |
16 |
> > Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you |
17 |
> > might keep getting a different result each time it tries to refresh. |
18 |
> |
19 |
> How so? You mean if the modem is directly connected to the powerline |
20 |
> adapter? I would be surprised if this were a problem in general, since |
21 |
> AFAIU they're ultimately just bridges as far as the network is concerned, |
22 |
> not to mention that they explicitly target home networks with multiple |
23 |
> devices. |
24 |
|
25 |
Actually, a HUB is a better comparison. |
26 |
All the powerline adapters all connect to the same network. Some you can set |
27 |
to a network-ID (think vlan) to limit this. |
28 |
|
29 |
The one time I played with one, I ended up seeing my neighbours NAS. |
30 |
|
31 |
> But in the end, it doesn't matter, since it's just for my desktop (which |
32 |
> doesn't have WLAN built-in); all other clients connect via WLAN. |
33 |
> |
34 |
> FWIW, I chose poewrline because it seemed like a better (and driverless!) |
35 |
> alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm |
36 |
> quite happy with it. |
37 |
|
38 |
If you can ensure that only 2 devices communicate, it's a valid replacement |
39 |
for a dedicated network cable. (If you accept the reduction in line-speed) |
40 |
|
41 |
> > > Furthermore, I found out the hard way that you *sometimes* need to |
42 |
> > > reboot |
43 |
> > > |
44 |
> > > the modem when connect a different client for the new client to get a |
45 |
> > > response from the DHCP server (I discovered this after wasting half a |
46 |
> > > day |
47 |
> > > trying to get our router to work, it would log timeouts during |
48 |
> > > DHCPDISCOVER). I didn't think it was the modem because when we first |
49 |
> > > got |
50 |
> > > it, I could switch cables around between my computer and my brother's |
51 |
> > > and |
52 |
> > > they would get their IP addresses without trouble. *sigh* |
53 |
> > |
54 |
> > That's a common flaw. These modems are designed with the idea that people |
55 |
> > only have 1 computer. Or at the very least put a router between the modem |
56 |
> > and whatever else they have. |
57 |
> > Please note, there is NO firewall on these modems and your machine is |
58 |
> > fully |
59 |
> > exposed to the internet. Unless you have your machine secured and all |
60 |
> > unused services disabled, you might as well assume your machine |
61 |
> > compromised. |
62 |
> Yes, I wasn't explicitly aware of this, but it makes sense, since AFAIU the |
63 |
> modem's job boils down to carrying the signal over the cable network and |
64 |
> (on a higher level) dialing in to the ISP and forwarding packets. I would |
65 |
> not really expect a firewall there. |
66 |
|
67 |
There isn't, usually. |
68 |
|
69 |
> > I once connected a fresh install directly to the modem. Only took 20 |
70 |
> > seconds to get owned. (This was about 9 years ago and Bind was running) |
71 |
> |
72 |
> Ouch. |
73 |
|
74 |
I was, to be honest, expecting it to be owned. (Just not this quick). |
75 |
It was done on purpose to see how long it would take. I pulled the network |
76 |
cable when the root-kit was being installed. Was interesting to see. |
77 |
|
78 |
> I just hope the Fritz!Box firewall is configured correctly, especially since |
79 |
> there doesn't appear to be a UI for it. Well, OK, there is, but it's not |
80 |
> very informative in that it doesn't tell me what rules (other than manually |
81 |
> entered ones) are currently in effect; all it explicitly says is that it |
82 |
> blocks NetBIOS packets. The only other thing that's bothered me about the |
83 |
> router is the factory default (directly after flashing the firmware) of |
84 |
> activating WPA2 *and* WPA (why?!). I turned off WPA as soon as I noticed. |
85 |
|
86 |
It will have NAT enabled, which blocks most incoming packets. As long as the |
87 |
router isn't owned, you should be ok. |
88 |
|
89 |
> Out of curiosity, I looked through the exported configuration file (looks |
90 |
> like JSON), and found entries that look like firewall rules, but don't |
91 |
> really know how they apply. It's less the rules themselves, though, than |
92 |
> the context, i.e., the rules are under "pppoefw" and "dslifaces", even |
93 |
> though the router uses neither PPPoE nor DSL (perhaps a sign that AVM's |
94 |
> software grows just as organically as everybody else's ;-) ). The one thing |
95 |
> I'm most curious about is what "lowinput", "highoutput", etc. mean, as |
96 |
> Google only found me other people asking the same question. |
97 |
|
98 |
Not familiar with those routers. Maybe someone with more knowledge can have a |
99 |
look at the config and shed some light. I would do a find/replace on the |
100 |
username and password you use to ensure that is masked before sending it to |
101 |
someone to investigate. |
102 |
|
103 |
> Anyway, it *looks* like it blocks everything from the internet by default |
104 |
> (except for "output-related" and "input-related", which I interpret to mean |
105 |
> responses to outgoing packets and... whatever "input-related" means), and |
106 |
> the manual seems to agree by implying that the firewall is for explicitly |
107 |
> opening ports. Also, I used the Heise "Netzwerk Check" and it reports no |
108 |
> problems, so I'm mostly relieved. |
109 |
|
110 |
Yes, that's a common setting. |
111 |
|
112 |
> > > - At the time there was no router, just the modem. We now have a |
113 |
> > > Fritz!Box |
114 |
> > > |
115 |
> > > 3270 with the most recent firmware, but we got it after I "solved" |
116 |
> > > this |
117 |
> > > problem. |
118 |
> > > |
119 |
> > > - I don't know whether we have an IP block or not; I suspect not. At |
120 |
> > > the |
121 |
> > > very least, we didn't make special arrangements to try and get one. |
122 |
> > |
123 |
> > Then assume not. Most, if not all, ISPs charge extra for this. (If they |
124 |
> > even offer it) |
125 |
> |
126 |
> That's what I thought :) . |
127 |
> |
128 |
> Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples) |
129 |
> directly and ask for his opinion. |
130 |
|
131 |
Oki, keep us updated. |
132 |
|
133 |
-- |
134 |
Joost |