On Friday, October 31, 2014 11:47:50 AM Marc Joliet wrote: > Am Fri, 31 Oct 2014 07:52:54 +0100 > > schrieb "J. Roeleveld" <jo...@antarean.org>: > > On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote: > [...] > > > > Oh, and there are two powerline/dLAN adapters in between (the modem is > > > in > > > > > > the room next door), but direct connections between my computer and my > > > brother's always worked, and they've been reliable in general, so I > > > assume > > > that they're irrelevant here. > > > > Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you > > might keep getting a different result each time it tries to refresh. > > How so? You mean if the modem is directly connected to the powerline > adapter? I would be surprised if this were a problem in general, since > AFAIU they're ultimately just bridges as far as the network is concerned, > not to mention that they explicitly target home networks with multiple > devices.
Actually, a HUB is a better comparison. All the powerline adapters all connect to the same network. Some you can set to a network-ID (think vlan) to limit this. The one time I played with one, I ended up seeing my neighbours NAS. > But in the end, it doesn't matter, since it's just for my desktop (which > doesn't have WLAN built-in); all other clients connect via WLAN. > > FWIW, I chose poewrline because it seemed like a better (and driverless!) > alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm > quite happy with it. If you can ensure that only 2 devices communicate, it's a valid replacement for a dedicated network cable. (If you accept the reduction in line-speed) > > > Furthermore, I found out the hard way that you *sometimes* need to > > > reboot > > > > > > the modem when connect a different client for the new client to get a > > > response from the DHCP server (I discovered this after wasting half a > > > day > > > trying to get our router to work, it would log timeouts during > > > DHCPDISCOVER). I didn't think it was the modem because when we first > > > got > > > it, I could switch cables around between my computer and my brother's > > > and > > > they would get their IP addresses without trouble. *sigh* > > > > That's a common flaw. These modems are designed with the idea that people > > only have 1 computer. Or at the very least put a router between the modem > > and whatever else they have. > > Please note, there is NO firewall on these modems and your machine is > > fully > > exposed to the internet. Unless you have your machine secured and all > > unused services disabled, you might as well assume your machine > > compromised. > Yes, I wasn't explicitly aware of this, but it makes sense, since AFAIU the > modem's job boils down to carrying the signal over the cable network and > (on a higher level) dialing in to the ISP and forwarding packets. I would > not really expect a firewall there. There isn't, usually. > > I once connected a fresh install directly to the modem. Only took 20 > > seconds to get owned. (This was about 9 years ago and Bind was running) > > Ouch. I was, to be honest, expecting it to be owned. (Just not this quick). It was done on purpose to see how long it would take. I pulled the network cable when the root-kit was being installed. Was interesting to see. > I just hope the Fritz!Box firewall is configured correctly, especially since > there doesn't appear to be a UI for it. Well, OK, there is, but it's not > very informative in that it doesn't tell me what rules (other than manually > entered ones) are currently in effect; all it explicitly says is that it > blocks NetBIOS packets. The only other thing that's bothered me about the > router is the factory default (directly after flashing the firmware) of > activating WPA2 *and* WPA (why?!). I turned off WPA as soon as I noticed. It will have NAT enabled, which blocks most incoming packets. As long as the router isn't owned, you should be ok. > Out of curiosity, I looked through the exported configuration file (looks > like JSON), and found entries that look like firewall rules, but don't > really know how they apply. It's less the rules themselves, though, than > the context, i.e., the rules are under "pppoefw" and "dslifaces", even > though the router uses neither PPPoE nor DSL (perhaps a sign that AVM's > software grows just as organically as everybody else's ;-) ). The one thing > I'm most curious about is what "lowinput", "highoutput", etc. mean, as > Google only found me other people asking the same question. Not familiar with those routers. Maybe someone with more knowledge can have a look at the config and shed some light. I would do a find/replace on the username and password you use to ensure that is masked before sending it to someone to investigate. > Anyway, it *looks* like it blocks everything from the internet by default > (except for "output-related" and "input-related", which I interpret to mean > responses to outgoing packets and... whatever "input-related" means), and > the manual seems to agree by implying that the firewall is for explicitly > opening ports. Also, I used the Heise "Netzwerk Check" and it reports no > problems, so I'm mostly relieved. Yes, that's a common setting. > > > - At the time there was no router, just the modem. We now have a > > > Fritz!Box > > > > > > 3270 with the most recent firmware, but we got it after I "solved" > > > this > > > problem. > > > > > > - I don't know whether we have an IP block or not; I suspect not. At > > > the > > > very least, we didn't make special arrangements to try and get one. > > > > Then assume not. Most, if not all, ISPs charge extra for this. (If they > > even offer it) > > That's what I thought :) . > > Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples) > directly and ask for his opinion. Oki, keep us updated. -- Joost
