From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ob0-f177.google.com (mail-ob0-f177.google.com [209.85.214.177]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 5AEEA208AD4 for ; Wed, 30 Jan 2013 04:20:54 -0800 (PST) Received: by mail-ob0-f177.google.com with SMTP id wc18so1549921obb.36 for ; Wed, 30 Jan 2013 04:20:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=Hr5MXztmcoAVK/Wqv1Q1VOEQeLvi+zLwRvHn7F4Xhkg=; b=g+hr21XOg3ERqXB/y/RviiAbvq53Si/SGAGBt4Y23dtmgix0Jx+/ykhPNJyU440Cy0 jl2WHlJkBaGUgEZS0EhhanarNS3APMJIS2dDwtCatqlvxGLeu2tW2ZOcL0uBfHtepZoy p8yxjJVNKq/ldNnVSU3b9c0AmbfVMNB4cY+db/Vzyw3yULEIj5MxXK3u5KjefUvOPBIV nM3lvNV0FAp6MoPXk0d3looXz6561WtLcsldVPgjqTQjZLPmBZMmsSNd6tWdfdDT6IWw PmxlYR9eAvRGP567/kUakzMzzpt03y8j6Z5VM9hC0MTg5G8cSoDPFCiEbLLb3gKVwKdw gvyw== MIME-Version: 1.0 X-Received: by 10.182.38.69 with SMTP id e5mr3451783obk.79.1359548453203; Wed, 30 Jan 2013 04:20:53 -0800 (PST) Received: by 10.76.80.99 with HTTP; Wed, 30 Jan 2013 04:20:53 -0800 (PST) X-Originating-IP: [77.65.47.165] In-Reply-To: References: Date: Wed, 30 Jan 2013 13:20:53 +0100 Message-ID: From: Maciej Soltysiak To: Sebastian Moeller Content-Type: multipart/alternative; boundary=f46d04462f0e9bb04904d4808a25 X-Gm-Message-State: ALoCoQnI2Bfhuow0reiTTY2mZolSmM+uLOEal5yxMoXPxsVI94QhgEzG9ifovo6NMuvXezWfQKV/ Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Fixing simple_qos.sh X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jan 2013 12:20:54 -0000 --f46d04462f0e9bb04904d4808a25 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, Jan 29, 2013 at 10:21 PM, Sebastian Moeller wrote= : > Any idea of how to determine link speed by a script? I assumed Dave meant this to be as simple as fetching a file and timing that. Basically a quite script form of http://speedtest.net/ > As I intend to disable upnp it would be great if the link speeds still b= e > stored somewhere and/or manually overridden. I want a firewall since I do > not trust a number of devices too much, like an iPod and a nexus7 and wan= t > to keep them under supervision, so allowing them to pierce the firewall > makes me feel a bit uneasy. Then again, Skype and friends figured out how > to do NAT traversal without upnp so disabling it will only buy me a littl= e > more control with a lot more hassle. Any expert on the security tradeoff > involved with UPNP willing to give their opinion on this question. Well, UPNP or not, with a 3rd party server outside your network and proper client/server code Skype and friends can do hole punching. If you don't trust ipad and nexus, you're on privacy territory, not network security per se, so I think you're better off proxying and filtering (e.g. privoxy), than only disabling upnp. > In related news: > https://community.rapid7.com/community/infosec/blog/2013/01/29/security-f= laws-in-universal-plug-and-play-unplug-dont-play > So maybe my uneasyness has some grounding in reality, Mind you, I have no= t > yet tested whether cerowrt is affected (and I doubt that, since the linke= d > exploit requires old ). Related question should cero's firewall drop tcp > port 5000 and udp port 1900 connection requests on the wan interface to p= ut > in belt and suspenders for UPNP remote exploits? But how does the interac= t > with using cerowrt as secondary router? (Being away from the router I can > not easily check/change the firewall settings=E2=80=A6) Yeah, this old thing. One thing is cerowrt firewall ruleset is a default ACCEPT with exceptions to block in zone_wan and that's one bad thing [tm] and should be the other way round. Where is the file that contains the default ruleset? I'll try to confirm if blocking it breaks anything or not today. Perhaps running metasploit against cero from outside and inside could be beneficial? Or at least a through nmap scan. Maciej --f46d04462f0e9bb04904d4808a25 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Tue, Jan 29, 2013 at 10:21 PM, Sebastian Moel= ler <moeller0@gmx.de> wrote:
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 Any idea of how to determine link speed by a script?
I assumed Dave meant this to be as simple as fetching a file and timin= g=C2=A0that. Basically a quite script form of http://speedtest.net/
=C2=A0
=C2=A0As I intend to disable upnp it = would be great if the link speeds still be stored somewhere and/or manually= overridden. I want a firewall since I do not trust a number of devices too= much, like an iPod and a nexus7 and want to keep them under supervision, s= o allowing them to pierce the firewall makes me feel a bit uneasy. Then aga= in, Skype and friends figured out how to do NAT traversal without upnp so d= isabling it will only buy me a little more control with =C2=A0a lot more ha= ssle. Any expert on the security tradeoff involved with UPNP willing to giv= e their opinion on this question.
Well, UPNP or not, with a 3rd party server outside your network and pr= oper client/server code Skype and friends can do hole punching.
=C2=A0
If you don't trust ipad and nexus, you're on privacy territory= , not network security per se, so I think you're better off proxying an= d filtering (e.g. privoxy), than only disabling upnp.
=C2=A0
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 In related news: https://community.rapid7.com/community/infosec/bl= og/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
So maybe my uneasyness has some grounding in reality, Mind you, I have not = yet tested whether cerowrt is affected (and I doubt that, since the linked = exploit requires old ). Related question should cero's firewall drop tc= p port 5000 and udp port 1900 connection requests on the wan interface to p= ut in belt and suspenders for UPNP remote exploits? But how does the intera= ct with using cerowrt as secondary router? (Being away from the router I ca= n not easily check/change the firewall settings=E2=80=A6)
Yeah, this old thing. One thing is cerowrt firewall ruleset is a defau= lt ACCEPT with exceptions to block in zone_wan and that's one bad thing= [tm] and should be the other way round. Where is the file that contains th= e default ruleset?
=C2=A0
I'll try to confirm if blocking it breaks anything or not today.
=C2=A0
Perhaps running metasploit against cero from outside and inside could = be beneficial? Or at least a through nmap scan.
=C2=A0
Maciej
=C2=A0
--f46d04462f0e9bb04904d4808a25--