From: Dave Taht <dave.taht@gmail.com>
To: Anthony Lieuallen <arantius@gmail.com>
Cc: bloat@lists.bufferbloat.net
Subject: Re: [Bloat] New Cerowrt user; surprises
Date: Wed, 24 Oct 2012 08:48:24 -0700 [thread overview]
Message-ID: <CAA93jw7DvMTez9FkLe0SYdPFj1dNLo2NF3-w_UdjZrjGNA=Caw@mail.gmail.com> (raw)
In-Reply-To: <CAOJLxTHwhb=uNfC=yWcM8g02N9Zd0QCKvMksN3bWn33mqge0Dg@mail.gmail.com>
Up until very recently (prior release) cerowrt used bind9, with a
split view, hiding the internal dns names from the outside world. So
the port was open and safe to use. But with the switch to dnsmasq, I'd
left that port open, which is definately a hole that should be closed
by anyone using it on the open internet. On the gripping hand, I was
hoping to go back to using bind at some point.
On Wed, Oct 24, 2012 at 6:50 AM, Anthony Lieuallen <arantius@gmail.com> wrote:
> I read that it's not intended to be, but I've just installed Cerowrt as my
> primary router at home. I was surprised by the fact that:
>
> * The list of open/filtered ports in an external nmap is bigger than I
> expect. I saw the explanation for some of them like ftp/telnet.
I like the ftp/telnet trick and would like to see it enhanced to also insert
firewall rules blocking access to port 81 etc on a telnet attempt. (or
having the config web server also launch from xinetd)
This would fully thwart attacks from within on the router from things
like dnschanger.
> * But one of them is DNS, and it's really open, and recursively resolving
> for the entire internet.
> * And it's answering private (172.30...) names that the world shouldn't
> know.
Yes, this was a mistake.
> * I haven't changed any firewalling rules, but the guest wireless (gw10) can
> see the lan (se00) addresses and communicate with them.
To some extent. Known insecure services are blocked. As the intent is generally
(for now) to use cerowrt as a test router INSIDE the home, excessive
firewall rules lead to all sorts of headaches.
>
> I'm sure I could tweak the rules to "fix" all of these, but I'm surprised
> that this is the default configuration.
Totally secure by default = unusable by default.
> And I'm not yet 100% confident of
> the difference between the Firewall pane's "General Settings" and "Traffic
> Rules" yet, so I don't want to poke too much.
/etc/config/firewall contains the rules. I find that and iptables
easier to understand.
>
> _______________________________________________
> Bloat mailing list
> Bloat@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat
>
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
prev parent reply other threads:[~2012-10-24 15:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-24 13:50 Anthony Lieuallen
2012-10-24 15:48 ` Dave Taht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/bloat.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAA93jw7DvMTez9FkLe0SYdPFj1dNLo2NF3-w_UdjZrjGNA=Caw@mail.gmail.com' \
--to=dave.taht@gmail.com \
--cc=arantius@gmail.com \
--cc=bloat@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox