[Cerowrt-devel] DLNA with wired and wireless devices

Dave Taht dave.taht at gmail.com
Fri Jan 18 11:01:03 PST 2013


On Fri, Jan 18, 2013 at 1:45 PM, <dpreed at reed.com> wrote:

> A non-obvious gateway application that some people like is a "DMZ".  In
> other words, a portion of the home network (one computer), that handles
> traffic from the outside that one never wants to reach internal resources
> that are not in the DMZ.
>

I had explicitly left open an ip range in cerowrt for a DMZ if needed.
(33-65)



>
>
> Home routers often talk about how to setup a DMZ, so there ought to be a
> way to do so in a routed network.
>
>
>
> Please don't react to this by assuming that I personally like the DMZ
> concept.  I would rather do something more subtle - provide a "honeypot"
> feature that attracts would-be scanners/attackers to a place where they can
> do no harm, and where information about them can be collected.  (the latter
> could be a great benefit to consumers who opt-in to it, whereas the DMZ
> "feature" is often misused by people to get around the problem of NAT
> getting in the way - sort of an anti-DMZ)
>

I like the honeypot idea a lot. I'd like very much to be participating in
detecting and thwarting a variety of attacks. I note that a huge number of
attacks now come from within the firewall as well.

My limited preliminary attempt at this was to protect cero slightly by
installing sensors on the telnet and ftp ports on the router, using
xinetd which disable several other services when probed (notably ssh -
except the one that I most want to disable, the web configuration server,
which can't run out of xinetd at present. Sigh).

Since doing that, discussed on this list have been several higher end and
more comprehensive tools but I haven't had time to pursue them (I'll gladly
take packages and patches)

I'd love to have something that tracked dns amplification attempts (and
thwarted/reported them). rbl support, too... Similarly a rate flooding
detector more robust than what openwrt currently does (and cerowrt doesn't)
would be nice (openwrt artificially rate limits icmp to 1000/sec which is
kind of large in the case of a home gateway and rather small in the case of
an ethernet)

and since this is a topic that the NSF was rather interested in, I thought
about applying for grants to try to address it (I have a draft of a
proposal if anyone wants to pursue it) in their recent solicitation round...

.... but me, I'd rather fix bufferbloat (and ipv6).

I DID build the thc ipv6 attack toolkit starting a few releases ago. The
situation there if you try that stuff out is pretty terrifying.


>
>
> -----Original Message-----
> From: "Dave Taht" <dave.taht at gmail.com>
> Sent: Friday, January 18, 2013 11:32am
> To: "Justin Madru" <justin.jdm64 at gmail.com>
> Cc: cerowrt-devel at lists.bufferbloat.net
> Subject: Re: [Cerowrt-devel] DLNA with wired and wireless devices
>
>
>
> On Fri, Jan 18, 2013 at 12:36 AM, Justin Madru <justin.jdm64 at gmail.com>wrote:
>
>> Awesome! It seems to be working now. Thanks!
>>
> OK, so to me this means that routing in the home, rather than bridging,
> can work even with upnp and dlna. Which makes me happy as I hope to one day
> be able to explore the effect of bridging gigE and wireless in larger scale
> networks. I have plenty of raw data showing how bad an idea it is, but
> nothing comprehensive as yet.
> A core question for me then becomes, how does upnp deal with multiple
> routers in the home, if they aren't natted?
> Another item is that upnp has the ability to advertise the available
> bandwidth to clients, and I was thinking of storing the rate limiting for
> ceroshaper in that rather that in a dedicated file. Does anything actually
> use that information? What do common bittorrent clients do with upnp
> nowadays? How about skype?
> Are there any other common gateway applications that are going to break in
> a routed environment?
>  --
> Dave Täht
>
> Fixing bufferbloat with cerowrt:
> http://www.teklibre.com/cerowrt/subscribe.html
>



-- 
Dave Täht

Fixing bufferbloat with cerowrt:
http://www.teklibre.com/cerowrt/subscribe.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20130118/f8a32286/attachment.html>


More information about the Cerowrt-devel mailing list