From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id F157521F170 for ; Wed, 24 Oct 2012 08:48:25 -0700 (PDT) Received: by mail-wi0-f175.google.com with SMTP id hq4so3872340wib.10 for ; Wed, 24 Oct 2012 08:48:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=16QnOHHoEt/+JTuplZTJYGRnKwKx58INlcfQzrJ8pFk=; b=VNpppt1GddAZwn3fYvxdTFhUVJqnUzpldtUv6sg26jOnQjsIWn2yQpaNvn+bTKI9+c lqs1r3IVDZqEVAwZIojI2gZJHhrMLCSSeqw1wcmSvi+RgszaNce5oxMyw2kLdlb85+0S rGicJA4qAoc1Q81dSyYgLiEe4RZ2sgFB0a2WiA6+K60w3BuSVMTLRLietx06J9WniX// GYZ54P8UpB4HqzPo0M6BEqQKc9kPkfy6mzLrBvj17HE30JdbzozR0HneiaRU/9tkiU6s cmJuDmJyAdEOy+F2Otd2x5BhyjAirRy555HElcsu2L0jlRfVxGyYL0ZsbT6gPYx7+1XN XxsA== MIME-Version: 1.0 Received: by 10.180.95.97 with SMTP id dj1mr6915008wib.3.1351093704093; Wed, 24 Oct 2012 08:48:24 -0700 (PDT) Received: by 10.223.180.10 with HTTP; Wed, 24 Oct 2012 08:48:24 -0700 (PDT) In-Reply-To: References: Date: Wed, 24 Oct 2012 08:48:24 -0700 Message-ID: From: Dave Taht To: Anthony Lieuallen Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: bloat@lists.bufferbloat.net Subject: Re: [Bloat] New Cerowrt user; surprises X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2012 15:48:26 -0000 Up until very recently (prior release) cerowrt used bind9, with a split view, hiding the internal dns names from the outside world. So the port was open and safe to use. But with the switch to dnsmasq, I'd left that port open, which is definately a hole that should be closed by anyone using it on the open internet. On the gripping hand, I was hoping to go back to using bind at some point. On Wed, Oct 24, 2012 at 6:50 AM, Anthony Lieuallen wro= te: > I read that it's not intended to be, but I've just installed Cerowrt as m= y > primary router at home. I was surprised by the fact that: > > * The list of open/filtered ports in an external nmap is bigger than I > expect. I saw the explanation for some of them like ftp/telnet. I like the ftp/telnet trick and would like to see it enhanced to also inser= t firewall rules blocking access to port 81 etc on a telnet attempt. (or having the config web server also launch from xinetd) This would fully thwart attacks from within on the router from things like dnschanger. > * But one of them is DNS, and it's really open, and recursively resolving > for the entire internet. > * And it's answering private (172.30...) names that the world shouldn't > know. Yes, this was a mistake. > * I haven't changed any firewalling rules, but the guest wireless (gw10) = can > see the lan (se00) addresses and communicate with them. To some extent. Known insecure services are blocked. As the intent is gener= ally (for now) to use cerowrt as a test router INSIDE the home, excessive firewall rules lead to all sorts of headaches. > > I'm sure I could tweak the rules to "fix" all of these, but I'm surprised > that this is the default configuration. Totally secure by default =3D unusable by default. > And I'm not yet 100% confident of > the difference between the Firewall pane's "General Settings" and "Traffi= c > Rules" yet, so I don't want to poke too much. /etc/config/firewall contains the rules. I find that and iptables easier to understand. > > _______________________________________________ > Bloat mailing list > Bloat@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bloat > --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html