[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dng
Subject:    Re: [DNG] What are you using for a firewall/router
From:       Simon <linux () thehobsons ! co ! uk>
Date:       2024-05-03 17:37:12
Message-ID: 5DCADE28-A4E5-44B0-9CF5-4A9A7949F50C () thehobsons ! co ! uk
[Download RAW message or body]

onefang <onefang_devuan@sledjhamr.org> wrote:

> > > 
> > > I'm in the same position, using Shorewall and soon to be considering
> > > nftables based alternatives.  "Just use plain nftables" is on the table.
> > 
> > Indeed, with a bit of thought and learning it's possible to do it at that level. \
> > But, for the benefit of those who haven't worked with Shorewall, that abstracts \
> > things in such a way that you can do complicated things in a much nicer way - \
> > without abstracting to the point where features start becoming impossible to use.
> 
> Well I am your typical graybeard, and I'm really good at learning complex
> computer technology.  I'll learn a programming language in an hour, so
> I'll have no problem with learning raw nftables.  But yes, a nice easier
> to use system, and still able to deal with complex things, would be
> great.  Non graphical so I can switch my servers to it as well.

I sort of fit that description, but I think it's part of my autistic wiring that I do \
take a bit longer - and these days it seems to be taking longer still. Also, there's \
also the issue of whatever time I spend learning X is time I don't have for A, B , C, \
D, ..., Z

> Three things worry me about what I suspect are additions by tp-link. 
> There's some sort of ISP management system built in, but I think that's
> coz they sell this same model to ISPs.

That'll probably br TR069 or similar. My ISP router has it, and no it can't be turned \
off :-( On the upside, it means the ISP can make any changes they need to keep up \
with other stuff they might be doing. The downside is that they can make changes. For \
most people, and the ISPs, it means "open box, plug in ‘blank' router, wait, ..., \
router now configured and service active". Not long ago I went looking in the router \
logs (we'd had an internet outage), and I spotted what looks like periodic config \
updates, typically in the early hours (2am wish), where it reports in the TR069 log \
an event with "Event code(s): '4 VALUE CHANGE'", and then the WAN connection drops \
and re-establishes.

> There's a place to add some sort
> of tp-link account, no idea what that does, I never set one up.

AVM have something like that with Fritxbox. The router can periodically send stats to \
the hub and you can view it online. Doesn't seem all that useful.

> Worst of all, some pages in the built in configuration system will check
> a DNS lookup of what looks like a Microsoft domain.  Those pages will do
> that automatically to test if the connection is up.  Yesterday the
> Internet was failing outside of the ISPs CNAT.  My router could get an
> IP, but nothing beyond that would respond.  Yet that test DNS lookup
> would work and the router declared that the Internet was working. 
> Traceroutes begged to differ.  Unless the DNS resolver their CNAT told me
> to use was inside the CNAT system, but still it failed at "Internet is
> up", it wasn't.  Not to mention I'd love to NOT have it checking with
> Microsoft, but there's no way to tell it to use some other domain.

That sucks. But then over the years I've seen all sorts of "interesting" design ideas \
- from Netgear routers that don't understand the existence of other than /24 networks \
(wouldn't allow n.n.n.0 or n.n.n.255 as a valid IP address), routers where the DHCP \
doesn't work if you change the RFC-1989 subnet to anything but 192.168.1.0/24, and my \
favourite bad guy - Zyxel who had a NAT system where they systematically changed the \
port number for each new connection, thus breaking anything needing to probe the NAT \
and work out what external port it's been mapped to (breaks SIP nicely), but \
apparently that "is secure and we don't care if it means things don't work because \
security trumps actually working" (not their words, but the just).


Simon

_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


[prev in list] [next in list] [prev in thread] [next in thread]