From: Dave Taht <dave.taht@gmail.com>
To: dpreed@reed.com
Cc: Justin Madru <justin.jdm64@gmail.com>,
cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] DLNA with wired and wireless devices
Date: Fri, 18 Jan 2013 14:01:03 -0500 [thread overview]
Message-ID: <CAA93jw6X=a4fgOAcknu8NXfP=5q+TwV4D5N+n8FwYjYCrPpbrw@mail.gmail.com> (raw)
In-Reply-To: <1358534753.401125130@apps.rackspace.com>
[-- Attachment #1: Type: text/plain, Size: 4117 bytes --]
On Fri, Jan 18, 2013 at 1:45 PM, <dpreed@reed.com> wrote:
> A non-obvious gateway application that some people like is a "DMZ". In
> other words, a portion of the home network (one computer), that handles
> traffic from the outside that one never wants to reach internal resources
> that are not in the DMZ.
>
I had explicitly left open an ip range in cerowrt for a DMZ if needed.
(33-65)
>
>
> Home routers often talk about how to setup a DMZ, so there ought to be a
> way to do so in a routed network.
>
>
>
> Please don't react to this by assuming that I personally like the DMZ
> concept. I would rather do something more subtle - provide a "honeypot"
> feature that attracts would-be scanners/attackers to a place where they can
> do no harm, and where information about them can be collected. (the latter
> could be a great benefit to consumers who opt-in to it, whereas the DMZ
> "feature" is often misused by people to get around the problem of NAT
> getting in the way - sort of an anti-DMZ)
>
I like the honeypot idea a lot. I'd like very much to be participating in
detecting and thwarting a variety of attacks. I note that a huge number of
attacks now come from within the firewall as well.
My limited preliminary attempt at this was to protect cero slightly by
installing sensors on the telnet and ftp ports on the router, using
xinetd which disable several other services when probed (notably ssh -
except the one that I most want to disable, the web configuration server,
which can't run out of xinetd at present. Sigh).
Since doing that, discussed on this list have been several higher end and
more comprehensive tools but I haven't had time to pursue them (I'll gladly
take packages and patches)
I'd love to have something that tracked dns amplification attempts (and
thwarted/reported them). rbl support, too... Similarly a rate flooding
detector more robust than what openwrt currently does (and cerowrt doesn't)
would be nice (openwrt artificially rate limits icmp to 1000/sec which is
kind of large in the case of a home gateway and rather small in the case of
an ethernet)
and since this is a topic that the NSF was rather interested in, I thought
about applying for grants to try to address it (I have a draft of a
proposal if anyone wants to pursue it) in their recent solicitation round...
.... but me, I'd rather fix bufferbloat (and ipv6).
I DID build the thc ipv6 attack toolkit starting a few releases ago. The
situation there if you try that stuff out is pretty terrifying.
>
>
> -----Original Message-----
> From: "Dave Taht" <dave.taht@gmail.com>
> Sent: Friday, January 18, 2013 11:32am
> To: "Justin Madru" <justin.jdm64@gmail.com>
> Cc: cerowrt-devel@lists.bufferbloat.net
> Subject: Re: [Cerowrt-devel] DLNA with wired and wireless devices
>
>
>
> On Fri, Jan 18, 2013 at 12:36 AM, Justin Madru <justin.jdm64@gmail.com>wrote:
>
>> Awesome! It seems to be working now. Thanks!
>>
> OK, so to me this means that routing in the home, rather than bridging,
> can work even with upnp and dlna. Which makes me happy as I hope to one day
> be able to explore the effect of bridging gigE and wireless in larger scale
> networks. I have plenty of raw data showing how bad an idea it is, but
> nothing comprehensive as yet.
> A core question for me then becomes, how does upnp deal with multiple
> routers in the home, if they aren't natted?
> Another item is that upnp has the ability to advertise the available
> bandwidth to clients, and I was thinking of storing the rate limiting for
> ceroshaper in that rather that in a dedicated file. Does anything actually
> use that information? What do common bittorrent clients do with upnp
> nowadays? How about skype?
> Are there any other common gateway applications that are going to break in
> a routed environment?
> --
> Dave Täht
>
> Fixing bufferbloat with cerowrt:
> http://www.teklibre.com/cerowrt/subscribe.html
>
--
Dave Täht
Fixing bufferbloat with cerowrt:
http://www.teklibre.com/cerowrt/subscribe.html
[-- Attachment #2: Type: text/html, Size: 5874 bytes --]
prev parent reply other threads:[~2013-01-18 19:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-16 9:32 Justin Madru
2013-01-16 19:02 ` Maciej Soltysiak
2013-01-17 19:55 ` Maciej Soltysiak
2013-01-18 5:36 ` Justin Madru
2013-01-18 16:32 ` Dave Taht
2013-01-18 18:45 ` dpreed
2013-01-18 19:01 ` Dave Taht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAA93jw6X=a4fgOAcknu8NXfP=5q+TwV4D5N+n8FwYjYCrPpbrw@mail.gmail.com' \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=dpreed@reed.com \
--cc=justin.jdm64@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox