Am Fri, 31 Oct 2014 12:16:04 +0100 schrieb "J. Roeleveld" <jo...@antarean.org>:
> On Friday, October 31, 2014 11:47:50 AM Marc Joliet wrote: > > Am Fri, 31 Oct 2014 07:52:54 +0100 > > > > schrieb "J. Roeleveld" <jo...@antarean.org>: > > > On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote: > > [...] > > > > > > Oh, and there are two powerline/dLAN adapters in between (the modem is > > > > in > > > > > > > > the room next door), but direct connections between my computer and my > > > > brother's always worked, and they've been reliable in general, so I > > > > assume > > > > that they're irrelevant here. > > > > > > Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you > > > might keep getting a different result each time it tries to refresh. > > > > How so? You mean if the modem is directly connected to the powerline > > adapter? I would be surprised if this were a problem in general, since > > AFAIU they're ultimately just bridges as far as the network is concerned, > > not to mention that they explicitly target home networks with multiple > > devices. > > Actually, a HUB is a better comparison. > All the powerline adapters all connect to the same network. Some you can set > to a network-ID (think vlan) to limit this. Also, AFAICS, all newer ones support encryption (AES128 in my case), where you pair the devices, for which you need physical access to press the necessary buttons. This can be used to similar effect IIUC. No clue on cross-vendor compatibility, though. However, encryption was mainly targeted at solving the next problem: > The one time I played with one, I ended up seeing my neighbours NAS. Yeah, that problem gets mentioned a lot. You can access every other (compatible) powerline adapter on the same electric network. Adapters on different phases could have trouble communicating, I believe, and cross-talk between cables can lead to data leaking into another network (but my knowledge on things electric is reaching its end). In my case, our apartment has an electric meter that isolates our apartment from the others, so we're fine (plus, the adapters use encryption as mentioned above) > > But in the end, it doesn't matter, since it's just for my desktop (which > > doesn't have WLAN built-in); all other clients connect via WLAN. > > > > FWIW, I chose poewrline because it seemed like a better (and driverless!) > > alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm > > quite happy with it. > > If you can ensure that only 2 devices communicate, it's a valid replacement > for a dedicated network cable. I didn't explicitly mention this, but the problem is that the router and modem are in my brothers room (four room shared students apartment, plus bathroom and kitchen). Now, I'm not about to drag a cable out of my room, across the hall, and into my brother's room, never mind that neither of us could close our doors anymore without unplugging the cable and dragging it back. So the alternative would have been to teach my desktop WLAN, which would've been slower unless I could find something for PCI(e) or USB3 that works with Linux, *without* me having to check out some git repository and manually compile things in the hope that it works. The first USB3 WLAN adapter I found would've lead to that, so I made a snap decision in favour of powerline. It also didn't hurt that I was curious about it and wanted to try it out :) . (I actually had to (unexpectedly) to do that with my wireless keyboard. Now there's app-misc/solaar, thankfully, although why Logitech couldn't just stick with infrared...) > (If you accept the reduction in line-speed) How long ago was this? I read that all modern devices incorporate various filters to mitigate disturbances coming from other devices and, thus, that they perform much better (or at least more robustly) than previous generations (they also *cause* less disturbances). Either way, I can saturate our 16 MiB/s internet connection with enough parallel downloads (or with a fast enough server, such as with speedtest.net), and LAN performance is satisfactory. I suspect one limiting factor is that the powerline adapters only have Fast Ethernet connections (of course, so does the router, so it doesn't matter). [...] > > > I once connected a fresh install directly to the modem. Only took 20 > > > seconds to get owned. (This was about 9 years ago and Bind was running) > > > > Ouch. > > I was, to be honest, expecting it to be owned. (Just not this quick). > It was done on purpose to see how long it would take. I pulled the network > cable when the root-kit was being installed. Was interesting to see. I bet :) ! > > I just hope the Fritz!Box firewall is configured correctly, especially since > > there doesn't appear to be a UI for it. Well, OK, there is, but it's not > > very informative in that it doesn't tell me what rules (other than manually > > entered ones) are currently in effect; all it explicitly says is that it > > blocks NetBIOS packets. The only other thing that's bothered me about the > > router is the factory default (directly after flashing the firmware) of > > activating WPA2 *and* WPA (why?!). I turned off WPA as soon as I noticed. > > It will have NAT enabled, which blocks most incoming packets. As long as the > router isn't owned, you should be ok. Right, I *expected* that, but it's nice to be able to verify it. > > Out of curiosity, I looked through the exported configuration file (looks > > like JSON), and found entries that look like firewall rules, but don't > > really know how they apply. It's less the rules themselves, though, than > > the context, i.e., the rules are under "pppoefw" and "dslifaces", even > > though the router uses neither PPPoE nor DSL (perhaps a sign that AVM's > > software grows just as organically as everybody else's ;-) ). The one thing > > I'm most curious about is what "lowinput", "highoutput", etc. mean, as > > Google only found me other people asking the same question. > > Not familiar with those routers. Maybe someone with more knowledge can have a > look at the config and shed some light. I would do a find/replace on the > username and password you use to ensure that is masked before sending it to > someone to investigate. It's not really important, again, I just like to be able to verify it, although right now I'm probably just being unnecessarily paranoid. AVM's routers have a good reputation (which is why we got one), and I'm inclined to trust them unless given reason to. > > Anyway, it *looks* like it blocks everything from the internet by default > > (except for "output-related" and "input-related", which I interpret to mean > > responses to outgoing packets and... whatever "input-related" means), and > > the manual seems to agree by implying that the firewall is for explicitly > > opening ports. Also, I used the Heise "Netzwerk Check" and it reports no > > problems, so I'm mostly relieved. > > Yes, that's a common setting. Again, me being overly focused on this, with a dose of paranoia. I would be surprised if the firewall were set up differently. [...] > > Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples) > > directly and ask for his opinion. > > Oki, keep us updated. Will do. -- Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup
signature.asc
Description: PGP signature
