[Bloat] New Cerowrt user; surprises

Dave Taht dave.taht at gmail.com
Wed Oct 24 11:48:24 EDT 2012


Up until very recently (prior release) cerowrt used bind9, with a
split view, hiding the internal dns names from the outside world. So
the port was open and safe to use. But with the switch to dnsmasq, I'd
left that port open, which is definately a hole that should be closed
by anyone using it on the open internet. On the gripping hand, I was
hoping to go back to using bind at some point.


On Wed, Oct 24, 2012 at 6:50 AM, Anthony Lieuallen <arantius at gmail.com> wrote:
> I read that it's not intended to be, but I've just installed Cerowrt as my
> primary router at home.  I was surprised by the fact that:
>
> * The list of open/filtered ports in an external nmap is bigger than I
> expect.  I saw the explanation for some of them like ftp/telnet.

I like the ftp/telnet trick and would like to see it enhanced to also insert
firewall rules blocking access to port 81 etc on a telnet attempt. (or
having the config web server also launch from xinetd)

This would fully thwart attacks from within on the router from things
like dnschanger.

> * But one of them is DNS, and it's really open, and recursively resolving
> for the entire internet.
> * And it's answering private (172.30...) names that the world shouldn't
> know.

Yes, this was a mistake.

> * I haven't changed any firewalling rules, but the guest wireless (gw10) can
> see the lan (se00) addresses and communicate with them.

To some extent. Known insecure services are blocked. As the intent is generally
(for now) to use cerowrt as a test router INSIDE the home, excessive
firewall rules lead to all sorts of headaches.

>
> I'm sure I could tweak the rules to "fix" all of these, but I'm surprised
> that this is the default configuration.

Totally secure by default = unusable by default.

> And I'm not yet 100% confident of
> the difference between the Firewall pane's "General Settings" and "Traffic
> Rules" yet, so I don't want to poke too much.

/etc/config/firewall contains the rules. I find that and iptables
easier to understand.

>
> _______________________________________________
> Bloat mailing list
> Bloat at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat
>



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html



More information about the Bloat mailing list