From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by huchra.bufferbloat.net (Postfix) with ESMTP id 98696200619 for ; Wed, 30 Jan 2013 11:07:16 -0800 (PST) Received: from mailout-de.gmx.net ([10.1.76.24]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0MZzWr-1UHJi01O3z-00LjM1 for ; Wed, 30 Jan 2013 20:07:15 +0100 Received: (qmail invoked by alias); 30 Jan 2013 19:07:15 -0000 Received: from tsaolab-fw.caltech.edu (EHLO [192.168.50.1]) [131.215.9.89] by mail.gmx.net (mp024) with SMTP; 30 Jan 2013 20:07:15 +0100 X-Authenticated: #24211782 X-Provags-ID: V01U2FsdGVkX1/Ti2Eo3pzTw7Akjdp+xunjx1618+9bwczKM8er39 YZhyl/LzGdqwfi Mime-Version: 1.0 (Apple Message framework v1283) Content-Type: text/plain; charset=windows-1252 From: Sebastian Moeller In-Reply-To: Date: Wed, 30 Jan 2013 11:07:10 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <30AEDE9B-9397-499D-A273-C953A80383D8@gmx.de> References: To: Maciej Soltysiak X-Mailer: Apple Mail (2.1283) X-Y-GMX-Trusted: 0 Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Fixing simple_qos.sh X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jan 2013 19:07:17 -0000 Hi Maciej, thanks for your thoughts. On Jan 30, 2013, at 04:20 , Maciej Soltysiak wrote: > On Tue, Jan 29, 2013 at 10:21 PM, Sebastian Moeller = wrote: > Any idea of how to determine link speed by a script? > I assumed Dave meant this to be as simple as fetching a file and = timing that. Basically a quite script form of http://speedtest.net/ Well, I am not sure whether that is a good idea, as = speediest.net might be not as well connected as your typical servers. So = personally I try to rate limit my up and download to line rates minus 5% = to avoid the buffer bloat in the CMTS/DSLAM. I guess I am hoping that = all real routers suffer less from over buffering than the consumer = facing endnodes. (Then again this is a can of worms, but the minus 5% so = far worked okay for me) > =20 > As I intend to disable upnp it would be great if the link speeds = still be stored somewhere and/or manually overridden. I want a firewall = since I do not trust a number of devices too much, like an iPod and a = nexus7 and want to keep them under supervision, so allowing them to = pierce the firewall makes me feel a bit uneasy. Then again, Skype and = friends figured out how to do NAT traversal without upnp so disabling it = will only buy me a little more control with a lot more hassle. Any = expert on the security tradeoff involved with UPNP willing to give their = opinion on this question. > Well, UPNP or not, with a 3rd party server outside your network and = proper client/server code Skype and friends can do hole punching. > =20 > If you don't trust ipad and nexus, you're on privacy territory, not = network security per se, so I think you're better off proxying and = filtering (e.g. privoxy), than only disabling upnp. I might have phrased that a bit awkward, I am not sure about the = speed in which critical remote exploitable bugs are fixed in an aging = collection of devices (this certainly includes iPod and nexus, but = honestly also my laptop). (If I'd really be concerned about privacy I = guess I would need to disable networking in apple ang google devices = completely :) ) > =20 > In related news: = https://community.rapid7.com/community/infosec/blog/2013/01/29/security-fl= aws-in-universal-plug-and-play-unplug-dont-play > So maybe my uneasyness has some grounding in reality, Mind you, I have = not yet tested whether cerowrt is affected (and I doubt that, since the = linked exploit requires old ). Related question should cero's firewall = drop tcp port 5000 and udp port 1900 connection requests on the wan = interface to put in belt and suspenders for UPNP remote exploits? But = how does the interact with using cerowrt as secondary router? (Being = away from the router I can not easily check/change the firewall = settings=85) > Yeah, this old thing. One thing is cerowrt firewall ruleset is a = default ACCEPT with exceptions to block in zone_wan and that's one bad = thing [tm] and should be the other way round. Where is the file that = contains the default ruleset? I guess this what I will set my router to (default drop), I = assume though that Dave's goal is rather to be open so end to end = connectivity is open enough to easily allow to run your own servers. = Mmmh, thinking over this I should bolt down the router itself from the = outside a bit more and the secure network segments and use the guest = segments as permissive segments in which to run servers and such... > =20 > I'll try to confirm if blocking it breaks anything or not today. > =20 > Perhaps running metasploit against cero from outside and inside could = be beneficial? Or at least a through nmap scan. I checked my 3.7.2-4 cerowrt router and ScanNOwUPnP.exe (from = rapid7) and it comes up empty, meaning cerowrt is not affected by that = issue (as to be expected as cero's miniupnp >> 1.4). Thanks a lot for your thoughts. best Sebastian > =20 > Maciej > =20