Am Fri, 31 Oct 2014 07:52:54 +0100 schrieb "J. Roeleveld" <jo...@antarean.org>:
> On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote: [...] > > Oh, and there are two powerline/dLAN adapters in between (the modem is in > > the room next door), but direct connections between my computer and my > > brother's always worked, and they've been reliable in general, so I assume > > that they're irrelevant here. > > Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you > might keep getting a different result each time it tries to refresh. How so? You mean if the modem is directly connected to the powerline adapter? I would be surprised if this were a problem in general, since AFAIU they're ultimately just bridges as far as the network is concerned, not to mention that they explicitly target home networks with multiple devices. But in the end, it doesn't matter, since it's just for my desktop (which doesn't have WLAN built-in); all other clients connect via WLAN. FWIW, I chose poewrline because it seemed like a better (and driverless!) alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm quite happy with it. > > Furthermore, I found out the hard way that you *sometimes* need to reboot > > the modem when connect a different client for the new client to get a > > response from the DHCP server (I discovered this after wasting half a day > > trying to get our router to work, it would log timeouts during > > DHCPDISCOVER). I didn't think it was the modem because when we first got > > it, I could switch cables around between my computer and my brother's and > > they would get their IP addresses without trouble. *sigh* > > That's a common flaw. These modems are designed with the idea that people > only > have 1 computer. Or at the very least put a router between the modem and > whatever else they have. > Please note, there is NO firewall on these modems and your machine is fully > exposed to the internet. Unless you have your machine secured and all unused > services disabled, you might as well assume your machine compromised. Yes, I wasn't explicitly aware of this, but it makes sense, since AFAIU the modem's job boils down to carrying the signal over the cable network and (on a higher level) dialing in to the ISP and forwarding packets. I would not really expect a firewall there. > I once connected a fresh install directly to the modem. Only took 20 seconds > to get owned. (This was about 9 years ago and Bind was running) Ouch. I just hope the Fritz!Box firewall is configured correctly, especially since there doesn't appear to be a UI for it. Well, OK, there is, but it's not very informative in that it doesn't tell me what rules (other than manually entered ones) are currently in effect; all it explicitly says is that it blocks NetBIOS packets. The only other thing that's bothered me about the router is the factory default (directly after flashing the firmware) of activating WPA2 *and* WPA (why?!). I turned off WPA as soon as I noticed. Out of curiosity, I looked through the exported configuration file (looks like JSON), and found entries that look like firewall rules, but don't really know how they apply. It's less the rules themselves, though, than the context, i.e., the rules are under "pppoefw" and "dslifaces", even though the router uses neither PPPoE nor DSL (perhaps a sign that AVM's software grows just as organically as everybody else's ;-) ). The one thing I'm most curious about is what "lowinput", "highoutput", etc. mean, as Google only found me other people asking the same question. Anyway, it *looks* like it blocks everything from the internet by default (except for "output-related" and "input-related", which I interpret to mean responses to outgoing packets and... whatever "input-related" means), and the manual seems to agree by implying that the firewall is for explicitly opening ports. Also, I used the Heise "Netzwerk Check" and it reports no problems, so I'm mostly relieved. > > - At the time there was no router, just the modem. We now have a Fritz!Box > > 3270 with the most recent firmware, but we got it after I "solved" this > > problem. > > > > - I don't know whether we have an IP block or not; I suspect not. At the > > very least, we didn't make special arrangements to try and get one. > > Then assume not. Most, if not all, ISPs charge extra for this. (If they even > offer it) That's what I thought :) . Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples) directly and ask for his opinion. -- Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup
signature.asc
Description: PGP signature