[Cerowrt-devel] Fixing simple_qos.sh

Maciej Soltysiak maciej at soltysiak.com
Wed Jan 30 07:20:53 EST 2013 

On Tue, Jan 29, 2013 at 10:21 PM, Sebastian Moeller <moeller0 at gmx.de> wrote:

>         Any idea of how to determine link speed by a script?

I assumed Dave meant this to be as simple as fetching a file and
timing that. Basically a quite script form of http://speedtest.net/


>  As I intend to disable upnp it would be great if the link speeds still be
> stored somewhere and/or manually overridden. I want a firewall since I do
> not trust a number of devices too much, like an iPod and a nexus7 and want
> to keep them under supervision, so allowing them to pierce the firewall
> makes me feel a bit uneasy. Then again, Skype and friends figured out how
> to do NAT traversal without upnp so disabling it will only buy me a little
> more control with  a lot more hassle. Any expert on the security tradeoff
> involved with UPNP willing to give their opinion on this question.

Well, UPNP or not, with a 3rd party server outside your network and proper
client/server code Skype and friends can do hole punching.

If you don't trust ipad and nexus, you're on privacy territory, not network
security per se, so I think you're better off proxying and filtering (e.g.
privoxy), than only disabling upnp.


>         In related news:
> https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
> So maybe my uneasyness has some grounding in reality, Mind you, I have not
> yet tested whether cerowrt is affected (and I doubt that, since the linked
> exploit requires old ). Related question should cero's firewall drop tcp
> port 5000 and udp port 1900 connection requests on the wan interface to put
> in belt and suspenders for UPNP remote exploits? But how does the interact
> with using cerowrt as secondary router? (Being away from the router I can
> not easily check/change the firewall settingsā€¦)

Yeah, this old thing. One thing is cerowrt firewall ruleset is a default
ACCEPT with exceptions to block in zone_wan and that's one bad thing [tm]
and should be the other way round. Where is the file that contains the
default ruleset?

I'll try to confirm if blocking it breaks anything or not today.

Perhaps running metasploit against cero from outside and inside could be
beneficial? Or at least a through nmap scan.

Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20130130/9d8abd53/attachment-0002.html>

More information about the Cerowrt-devel mailing list