From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by huchra.bufferbloat.net (Postfix) with SMTP id 6C35421F0CA for ; Wed, 16 May 2012 12:51:29 -0700 (PDT) Received: (qmail invoked by alias); 16 May 2012 19:51:27 -0000 Received: from tsaolab-fw.caltech.edu (EHLO [192.168.50.78]) [131.215.9.89] by mail.gmx.net (mp028) with SMTP; 16 May 2012 21:51:27 +0200 X-Authenticated: #24211782 X-Provags-ID: V01U2FsdGVkX1/p4J5vaiHpRKH8AUv29shoxZpo6iK7BsRttTHOCV 6kmuniMwOq6BWR Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=windows-1252 From: Sebastian Moeller In-Reply-To: Date: Wed, 16 May 2012 12:51:25 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <6F884B65-4388-4655-8B03-4B7936ABCDE0@gmx.de> <4FB3DF2D.3070109@gmail.com> To: Dave Taht X-Mailer: Apple Mail (2.1278) X-Y-GMX-Trusted: 0 Cc: "" Subject: Re: [Cerowrt-devel] preliminary codel and fq_codel support for cerowrt X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2012 19:51:30 -0000 Hi Dave, all of this sounds interesting, and a bit scary... While I have a hunch that I am trying to flog a quite deceased horse = here,I think that closed by default is the safest way to set up a secure = router. If it is easy to open it up for incoming services easily than = everything is golden. As long as I control the router control and = restriction actually become great concepts :) (even DPI is decidedly = non-scary if I perform it my own network packages versus someone else = doing it on my packages :) ) On May 16, 2012, at 10:52 AM, Dave Taht wrote: > The problem with most home router firewalls today is that they have a = strict > "us" vs "them" concept in them, and are closely tied to what can be > NATed, or not, which limits our internet to tcp and udp. >=20 > Recently the concept of 'guest' has been added to many devices, > which doesn't work particularly well. >=20 > A problem with "us vs them" and extending this sort of thinking > to ipv6, is that interesting new protocols such as > sctp, hip, rdp, dccp, rsvp esp, gre, ah, skip, ospf, vrrp, isis, = manet, shim6, > wesp, and rohc=85 Just to show my ignorance, but all are on top of IP packages, so = why can these not be integrated into NAT default closed firewalls? >=20 > are all blocked by default in ipv6, too. Which I think is the right thing to do, as long as opening a = service is a few mouse clicks away.=20 There is too much internet enabled gear around (say like my = ipod) which is not really be trustworthy nor can be audited easily to go = to open by default. Having the router be restrictive does not eradicate = consequences from insecure devices but mitigates it some. It should be = easier to keep a single router secure than a small armada of end user = devices behind this thing (and so much easier to give TLC to one = firewall instead of several all using slightly different configuration = methods). Hey, I just realize I am a pessimist and a spassbremse... >=20 > It doesn't need to be this way. >=20 > I have hated living in a world of purely tcp on port 80 and 443. >=20 > Seeing udp begin to fail in multiple respects - such as dns,dhcp, = voice, etc > really bothers me. How is that related to restrictive handling of incoming data? I = ask because I really do not know. I always assumed that blocking all = incoming unless either related to an already initiated connection or = explicitly allowed made sense and should allow most things to just work. = (I am totally prepared to open the firewall for services I am interested = in). >=20 > So cerowall attempted (I've never finished it) to use pattern matching > in iptables, and device renaming, to make it possible to have a nearly > default free zone (DFZ) for guests, and use a bare minimum of rules, > to pass through=85 That sounds great (if the secure zone stays restrictive by = default, having an easy way to go into the deep end sounds great).=20 >=20 > and the core idea was also be able to pass ALL protocols everywhere, > under ipv6. That I can not understand, as IPv6 becomes more pervasive so = will exploits and security issues. I see the whole issue a bit as the = dichotomy between control and laissez faire; in theory cooperation = easily beats strict control, but in reality cooperation only works well = in special cases. And from that perspective I see allow all incoming = IPv6 as a gamble that will fail once the population of users grows = beyond the early-adopter tech crowd=85 >=20 > The current openwrt firewall solution scales O(n) where n =3D the = number > of interfaces > the cerowall idea scales O(n) where n =3D the number of different = zones. >=20 > Firewalling is responsible for a minimum of 11% of the current = runtime, > with the current firewall rules, with 6 interfaces in play. But is that not a good part of what a network edge router should = do to "earn" its living :)=20 >=20 > CeroWall did a lot better, while opening up new vistas to play in. It seems I am a chicken incapable of appreciating these vistas = without worrying about what else could happen :) Anyway, I am truly interested in learning the gains of default open = routing and what risk mitigation approaches exist for the t scenario. Best Sebastian >=20 > --=20 > Dave T=E4ht > SKYPE: davetaht > US Tel: 1-239-829-5608 > http://www.bufferbloat.net