1 |
On Tuesday, 1 March 2022 12:35:17 GMT Peter Humphrey wrote: |
2 |
> Hello list, |
3 |
> |
4 |
> I use net-firewall/shorewall to protect my machines; it's served me well for |
5 |
> many years. My ISP gave me a FritzBox modem-router recently, in the hope of |
6 |
> better media streaming, but it's spamming my LAN server with HTTP requests |
7 |
> (port 80). The other machines are left alone; just this one is affected. |
8 |
> |
9 |
> The many log entries are not a serious problem, just a nuisance, but I'd |
10 |
> rather not have to put up with them. |
11 |
> |
12 |
> AVM, the modem's maker, says I should set shorewall up on this machine to |
13 |
> accept either port-80 requests or unsolicited packets of type 0x88e1. That |
14 |
> type is HomePlug Management, apparently, and the FritzBox is looking for any |
15 |
> such devices on the LAN. I don't know why it's picked on this one machine |
16 |
> to query, unless it's because it has the lowest IP address. |
17 |
> |
18 |
> Questions: |
19 |
> 1. Will I be opening myself to external HTTP attacks if I open that port to |
20 |
> the modem-router? I assume I will, though no such service is running - at |
21 |
> the moment. |
22 |
> 2. As far as I can see, shorewall filters only on ports, not packet types. |
23 |
> If so, how can I specify a packet type to it? |
24 |
> 3. Does anyone here know how to specify HomePlug in shorewall? |
25 |
> |
26 |
> Google hasn't helped much, nor has the Shorewall website, so I hope someone |
27 |
> here has experience of this. |
28 |
|
29 |
Have you seen this regarding the specific ethertypes: |
30 |
|
31 |
https://superuser.com/questions/1574757/unknown-ethertypes-0x88e1-and-0x8912-from-my-fritz-box |
32 |
|
33 |
Sadly I don't know anything about Shorewall, but you can look at configuring |
34 |
netfilter with some additional hand-crafted rules to drop the above ethertypes |
35 |
without logging them. |
36 |
|
37 |
However, what I would prefer to do in your circumstances is find if your router |
38 |
is supported by OpenWRT firmware and configure SQM with FQ-Codel in it to manage |
39 |
bufferbloat. I expect this should improve your streaming better than whatever |
40 |
AVM have configured in the box. |