| 1 |
On Tuesday, 1 March 2022 12:35:17 GMT Peter Humphrey wrote: |
| 2 |
> Hello list, |
| 3 |
> |
| 4 |
> I use net-firewall/shorewall to protect my machines; it's served me well for |
| 5 |
> many years. My ISP gave me a FritzBox modem-router recently, in the hope of |
| 6 |
> better media streaming, but it's spamming my LAN server with HTTP requests |
| 7 |
> (port 80). The other machines are left alone; just this one is affected. |
| 8 |
> |
| 9 |
> The many log entries are not a serious problem, just a nuisance, but I'd |
| 10 |
> rather not have to put up with them. |
| 11 |
> |
| 12 |
> AVM, the modem's maker, says I should set shorewall up on this machine to |
| 13 |
> accept either port-80 requests or unsolicited packets of type 0x88e1. That |
| 14 |
> type is HomePlug Management, apparently, and the FritzBox is looking for any |
| 15 |
> such devices on the LAN. I don't know why it's picked on this one machine |
| 16 |
> to query, unless it's because it has the lowest IP address. |
| 17 |
> |
| 18 |
> Questions: |
| 19 |
> 1. Will I be opening myself to external HTTP attacks if I open that port to |
| 20 |
> the modem-router? I assume I will, though no such service is running - at |
| 21 |
> the moment. |
| 22 |
> 2. As far as I can see, shorewall filters only on ports, not packet types. |
| 23 |
> If so, how can I specify a packet type to it? |
| 24 |
> 3. Does anyone here know how to specify HomePlug in shorewall? |
| 25 |
> |
| 26 |
> Google hasn't helped much, nor has the Shorewall website, so I hope someone |
| 27 |
> here has experience of this. |
| 28 |
|
| 29 |
Have you seen this regarding the specific ethertypes: |
| 30 |
|
| 31 |
https://superuser.com/questions/1574757/unknown-ethertypes-0x88e1-and-0x8912-from-my-fritz-box |
| 32 |
|
| 33 |
Sadly I don't know anything about Shorewall, but you can look at configuring |
| 34 |
netfilter with some additional hand-crafted rules to drop the above ethertypes |
| 35 |
without logging them. |
| 36 |
|
| 37 |
However, what I would prefer to do in your circumstances is find if your router |
| 38 |
is supported by OpenWRT firmware and configure SQM with FQ-Codel in it to manage |
| 39 |
bufferbloat. I expect this should improve your streaming better than whatever |
| 40 |
AVM have configured in the box. |
Archives