[Cerowrt-devel] Fixing simple_qos.sh

Sebastian Moeller moeller0 at gmx.de
Wed Jan 30 14:07:10 EST 2013

Hi Maciej,

thanks for your thoughts.

On Jan 30, 2013, at 04:20 , Maciej Soltysiak wrote:

> On Tue, Jan 29, 2013 at 10:21 PM, Sebastian Moeller <moeller0 at gmx.de> wrote:
>         Any idea of how to determine link speed by a script?
> I assumed Dave meant this to be as simple as fetching a file and timing that. Basically a quite script form of http://speedtest.net/

	Well, I am not sure whether that is a good idea, as speediest.net might be not as well connected as your typical servers. So personally I try to rate limit my up and download to line rates minus 5% to avoid the buffer bloat in the CMTS/DSLAM. I guess I am hoping that all real routers suffer less from over buffering than the consumer facing endnodes. (Then again this is a can of worms, but the minus 5% so far worked okay for me)

>  As I intend to disable upnp it would be great if the link speeds still be stored somewhere and/or manually overridden. I want a firewall since I do not trust a number of devices too much, like an iPod and a nexus7 and want to keep them under supervision, so allowing them to pierce the firewall makes me feel a bit uneasy. Then again, Skype and friends figured out how to do NAT traversal without upnp so disabling it will only buy me a little more control with  a lot more hassle. Any expert on the security tradeoff involved with UPNP willing to give their opinion on this question.
> Well, UPNP or not, with a 3rd party server outside your network and proper client/server code Skype and friends can do hole punching.
> If you don't trust ipad and nexus, you're on privacy territory, not network security per se, so I think you're better off proxying and filtering (e.g. privoxy), than only disabling upnp.

	I might have phrased that a bit awkward, I am not sure about the speed in which critical remote exploitable bugs are fixed in an aging collection of devices (this certainly includes iPod and nexus, but honestly also my laptop). (If I'd really be concerned about privacy I guess I would need to disable networking in apple ang google devices completely :) )

>         In related news: https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
> So maybe my uneasyness has some grounding in reality, Mind you, I have not yet tested whether cerowrt is affected (and I doubt that, since the linked exploit requires old ). Related question should cero's firewall drop tcp port 5000 and udp port 1900 connection requests on the wan interface to put in belt and suspenders for UPNP remote exploits? But how does the interact with using cerowrt as secondary router? (Being away from the router I can not easily check/change the firewall settingsā€¦)
> Yeah, this old thing. One thing is cerowrt firewall ruleset is a default ACCEPT with exceptions to block in zone_wan and that's one bad thing [tm] and should be the other way round. Where is the file that contains the default ruleset?

	I guess this what I will set my router to (default drop), I assume though that Dave's goal is rather to be open so end to end connectivity is open enough to easily allow to run your own servers. Mmmh, thinking over this I should bolt down the router itself from the outside a bit more and the secure network segments and use the guest segments as permissive segments in which to run servers and such...

> I'll try to confirm if blocking it breaks anything or not today.
> Perhaps running metasploit against cero from outside and inside could be beneficial? Or at least a through nmap scan.

	I checked my 3.7.2-4 cerowrt router and ScanNOwUPnP.exe (from rapid7) and it comes up empty, meaning cerowrt is not affected by that issue (as to be expected as cero's miniupnp >> 1.4).

Thanks a lot for your thoughts.


> Maciej

More information about the Cerowrt-devel mailing list