[Bloat] New Cerowrt user; surprises

[Bloat] New Cerowrt user; surprises

[Anthony Lieuallen]

[-- Attachment #1: Type: text/plain, Size: 852 bytes --]

I read that it's not intended to be, but I've just installed Cerowrt as my
primary router at home.  I was surprised by the fact that:

* The list of open/filtered ports in an external nmap is bigger than I
expect.  I saw the explanation for some of them like ftp/telnet.
* But one of them is DNS, and it's really open, and recursively resolving
for the entire internet.
* And it's answering private (172.30...) names that the world shouldn't
know.
* I haven't changed any firewalling rules, but the guest wireless (gw10)
can see the lan (se00) addresses and communicate with them.

I'm sure I could tweak the rules to "fix" all of these, but I'm surprised
that this is the default configuration.  And I'm not yet 100% confident of
the difference between the Firewall pane's "General Settings" and "Traffic
Rules" yet, so I don't want to poke too much.

[-- Attachment #2: Type: text/html, Size: 960 bytes --]

Re: [Bloat] New Cerowrt user; surprises

[Dave Taht]

Up until very recently (prior release) cerowrt used bind9, with a
split view, hiding the internal dns names from the outside world. So
the port was open and safe to use. But with the switch to dnsmasq, I'd
left that port open, which is definately a hole that should be closed
by anyone using it on the open internet. On the gripping hand, I was
hoping to go back to using bind at some point.


On Wed, Oct 24, 2012 at 6:50 AM, Anthony Lieuallen <arantius@gmail.com> wrote:
> I read that it's not intended to be, but I've just installed Cerowrt as my
> primary router at home.  I was surprised by the fact that:
>
> * The list of open/filtered ports in an external nmap is bigger than I
> expect.  I saw the explanation for some of them like ftp/telnet.

I like the ftp/telnet trick and would like to see it enhanced to also insert
firewall rules blocking access to port 81 etc on a telnet attempt. (or
having the config web server also launch from xinetd)

This would fully thwart attacks from within on the router from things
like dnschanger.

> * But one of them is DNS, and it's really open, and recursively resolving
> for the entire internet.
> * And it's answering private (172.30...) names that the world shouldn't
> know.

Yes, this was a mistake.

> * I haven't changed any firewalling rules, but the guest wireless (gw10) can
> see the lan (se00) addresses and communicate with them.

To some extent. Known insecure services are blocked. As the intent is generally
(for now) to use cerowrt as a test router INSIDE the home, excessive
firewall rules lead to all sorts of headaches.

>
> I'm sure I could tweak the rules to "fix" all of these, but I'm surprised
> that this is the default configuration.

Totally secure by default = unusable by default.

> And I'm not yet 100% confident of
> the difference between the Firewall pane's "General Settings" and "Traffic
> Rules" yet, so I don't want to poke too much.

/etc/config/firewall contains the rules. I find that and iptables
easier to understand.

>
> _______________________________________________
> Bloat mailing list
> Bloat@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat
>



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html