[opensuse] securing home network
I've been thinking about security a bit. Most of my home security depends on my ADSL router and especially on the NAT it provides. Now I could try to harden every machine on my network, which I admit would be best practice, but (a) I'm lazy and (b) I've got little control over some of the devices on the network. So I've been wondering about putting another dedicated machine in between my router and my network to make it harder to penetrate. My router also provides my WAN, FWIW. Is this at all sane? Would openSUSE make a good basis for the machine? What software would I need to run on it? What hardware power would I need? TIA, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2019-02-02 at 21:28 -0000, Dave Howorth wrote:
I've been thinking about security a bit. Most of my home security depends on my ADSL router and especially on the NAT it provides. Now I could try to harden every machine on my network, which I admit would be best practice, but (a) I'm lazy and (b) I've got little control over some of the devices on the network. So I've been wondering about putting another dedicated machine in between my router and my network to make it harder to penetrate. My router also provides my WAN, FWIW.
Is this at all sane? Would openSUSE make a good basis for the machine? What software would I need to run on it? What hardware power would I need?
Well, what I do is to activate the firewall on all internal machines. This doesn't cover everything, because are devices inside that do not have a firewall, and worse, do not have updates. Say printer, old TV recorder, or new ones, like Google Chromecast... Yes, it is possible to add a new firewall between the router and the home network. Yes, it can be a computer with two network sockets and Linux on it. Or it can be a router from the market - probably cheaper and easier to configure, but also doesn't get updates unless it is a professional grade router. Consider that a router-firewall in the middle is a complication when it comes to "multimedia" modern applications or gadgets. Things like online games, for instance. - -- Cheers, Carlos E. R. (from openSUSE 15.0 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXFYRRBwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVZtsAn1ASYH+Cwbf0DvjSQESf ZudM86S3AJ4mumqmq8/CAsoBA5NEWuSV51XoTg== =bLLj -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
If for instance you do not trust some smartphones or smart TVs in your home, you can create firewall rules to protect your Linux machine. I tested this with the SuSEfirewall2. You have to edit a /etc/sysconfig/scripts/SuSEfirewall2-custom file and activate it in /etc/sysconfig/SuSEfirewall2 with FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom". Then you have to add the blocking firewall rules into function fw_custom_before_port_handling(). My example blocks some common ports, but not all ports (e.g. noch the HTTP and HTTPS ports) for the smartphone with hardware address 01:02:03:04:05:06. fw_custom_before_port_handling() { # these rules will be loaded after the anti-spoofing and icmp handling # and after the input has been redirected to the input_XXX and # forward_XXX chains and some basic chain-specific anti-circumvention # rules have been set, # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. # the MAC address of my smartphone # see Settings -> About Phone -> Status mysmartphone="01:02:03:04:05:06" # set the hardware address of the "dangerous" device here for target in LOG DROP; do for chain in input_ext forward_ext; do # block unneeded ports for my smartphone iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 22 # SSH iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 25 # SMTP iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 143 # IMAP iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 631 # CUPS iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 3306 # MySQL iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 6000 # Xorg done done true } Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/02/2019 01.14, Bjoern Voigt wrote:
If for instance you do not trust some smartphones or smart TVs in your home, you can create firewall rules to protect your Linux machine.
I tested this with the SuSEfirewall2. You have to edit a /etc/sysconfig/scripts/SuSEfirewall2-custom file and activate it in /etc/sysconfig/SuSEfirewall2 with
Unfortunately, SuSEfirewall2 is dead. Not supported anymore. Besides... I certainly want to control my Chromecast from Linux, I can not block it. I had to explicitly open some ports for it to work. Similarly, I also share files with my android devices via wifi. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
Carlos E. R. wrote:
Unfortunately, SuSEfirewall2 is dead. Not supported anymore.
Yes, but my custom code for SuSEfirewall2 is compact, even with 10 devices and 6 blocked ports because of the for-loops. I am not sure how to achieve the same with FirewallD. The FirewallD Wiki page for openSUSE is not long. The topic "migration of custom SuSEfirewall2 rules" in not covered. https://en.opensuse.org/Firewalld Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/02/2019 23.06, Bjoern Voigt wrote:
Carlos E. R. wrote:
Unfortunately, SuSEfirewall2 is dead. Not supported anymore.
Yes, but my custom code for SuSEfirewall2 is compact, even with 10 devices and 6 blocked ports because of the for-loops. I am not sure how to achieve the same with FirewallD.
The FirewallD Wiki page for openSUSE is not long. The topic "migration of custom SuSEfirewall2 rules" in not covered. https://en.opensuse.org/Firewalld
I know :-( -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 02/02/2019 04:28 PM, Dave Howorth wrote:
I've been thinking about security a bit. Most of my home security depends on my ADSL router and especially on the NAT it provides. Now I could try to harden every machine on my network, which I admit would be best practice, but (a) I'm lazy and (b) I've got little control over some of the devices on the network. So I've been wondering about putting another dedicated machine in between my router and my network to make it harder to penetrate. My router also provides my WAN, FWIW.
NAT doesn't provide any security, beyond what a properly configured firewall can do. OpenSUSE has a firewall included, which can be run on every desktop. I also used to use it for my main firewall, but replaced it with pfSense three years ago, as the openSUSE firewall didn't work with DHCPv6-PD, which many ISPs use to provide IPv6. Also, with a separate firewall, you can put your ADSL modem info bridge mode, as you don't need another device providing NAT on IPv4. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/02/2019 23.11, James Knott wrote:
On 02/02/2019 04:28 PM, Dave Howorth wrote:
I've been thinking about security a bit. Most of my home security depends on my ADSL router and especially on the NAT it provides. Now I could try to harden every machine on my network, which I admit would be best practice, but (a) I'm lazy and (b) I've got little control over some of the devices on the network. So I've been wondering about putting another dedicated machine in between my router and my network to make it harder to penetrate. My router also provides my WAN, FWIW.
NAT doesn't provide any security, beyond what a properly configured firewall can do.
My previous ISP provided router had NAT but no firewall active by default. Even more, its web control page did not allow to activate the firewall. The trick was to save config to a file, edit it on the computer, add firewall config token, and reload config. Then the firewall appeared on the control page and could be activated. The official stance was that NAT was enough security. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2019-02-02 a las 17:38 -0500, James Knott escribió:
On 02/02/2019 05:28 PM, Carlos E. R. wrote:
The official stance was that NAT was enough security.
You've got some real strange people in Spain! ;-)
Oh, I have heard the same thing from people from many countries. - -- Cheers Carlos E. R. (from openSUSE Leap 15.0 x86_64 (Minas Tirith)) -----BEGIN PGP SIGNATURE----- iJIEAREIADoWIQQt/vKEw5659AgM/X2NrxRtxRYzXAUCXFYuyhwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJEI2vFG3FFjNcE2sA/2N36LKDLyUXb/chgXXM Db5Kca4aT86SxJ2yYiTAd+CPAPwI2/bHv7fiuLna300cyFndAcuD+olcXzC9+L92 i8wCFg== =0zJ4 -----END PGP SIGNATURE-----
Dave Howorth wrote:
I've been thinking about security a bit. Most of my home security depends on my ADSL router and especially on the NAT it provides. Now I could try to harden every machine on my network, which I admit would be best practice, but (a) I'm lazy and (b) I've got little control over some of the devices on the network. So I've been wondering about putting another dedicated machine in between my router and my network to make it harder to penetrate. My router also provides my WAN, FWIW.
Is this at all sane? Would openSUSE make a good basis for the machine? What software would I need to run on it? What hardware power would I need?
I do this here. I do have a router that does SIP(*) and would do WLAN and so on, but I decided to put a machine inbetween that will do DHCP and NAT, firewall everything, and also use that for providing WLAN so I also have that under my control. The latter was the most complicated - it involved bridging ethernet and wireless together so dhcpd works seamless, and setting up hostapd. It is running openSUSE - still LEAP 42.3, so it will need (quite some?) work on the firewall side if/when I update/migrate that. (*)that phone thing is the only reason I keep the 'modem'. The real router is actually in the cellar (fiber connection), but the phone company doesn't allow using other programs for the phone line, so it has to stay in the loop :( I'm running that on a dual core celeron Shuttle, though for only that it might even be overpowered. But once you have it available - it also is print server and NAS for the video and audio collection and my private git repo host. The only thing you should look for IMHO is 2 ethernet ports and maybe an easy connection of an external antenna for WiFi. If it would really only be firewalling you might even use a Pi - there's specialized distributions for it. The network throughput is lower, though. If you have an external Gbit line I'd not do that. openSUSE also has the Pi port, so you can use it there, too, if you feel more comfortable using something known (I do...) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 2 Feb 2019 23:25:27 +0100 Peter Suetterlin <pit@astro.su.se> wrote:
Dave Howorth wrote:
I've been thinking about security a bit. Most of my home security depends on my ADSL router and especially on the NAT it provides. Now I could try to harden every machine on my network, which I admit would be best practice, but (a) I'm lazy and (b) I've got little control over some of the devices on the network. So I've been wondering about putting another dedicated machine in between my router and my network to make it harder to penetrate. My router also provides my WAN, FWIW.
Is this at all sane? Would openSUSE make a good basis for the machine? What software would I need to run on it? What hardware power would I need?
I do this here. I do have a router that does SIP(*) and would do WLAN and so on, but I decided to put a machine inbetween that will do DHCP and NAT, firewall everything, and also use that for providing WLAN so I also have that under my control. The latter was the most complicated - it involved bridging ethernet and wireless together so dhcpd works seamless, and setting up hostapd. It is running openSUSE - still LEAP 42.3, so it will need (quite some?) work on the firewall side if/when I update/migrate that.
(*)that phone thing is the only reason I keep the 'modem'. The real router is actually in the cellar (fiber connection), but the phone company doesn't allow using other programs for the phone line, so it has to stay in the loop :(
I'm running that on a dual core celeron Shuttle, though for only that it might even be overpowered. But once you have it available - it also is print server and NAS for the video and audio collection and my private git repo host.
The only thing you should look for IMHO is 2 ethernet ports and maybe an easy connection of an external antenna for WiFi.
If it would really only be firewalling you might even use a Pi - there's specialized distributions for it. The network throughput is lower, though. If you have an external Gbit line I'd not do that. openSUSE also has the Pi port, so you can use it there, too, if you feel more comfortable using something known (I do...)
Thanks for answering my questions, Peter, and giving me some more to think about. Apologies for all for mnemonic confusion; I meant WLAN rather than WAN, of course. It's the phones and IoT devices on the network that cause me most concern; I'm not so much worried about the state of my Linux boxes. My router does have a basic firewall as well as NAT and I don't have online gaming or any other fancy features enabled. I use a POTS line (with an unpowered handset for power failure scenarios). I hadn't even got as far in my thinking as remembering the need for two ethernet ports. How do the pi systems handle that? I had wondered whether a pi would be fast enough. My ADSL line is nowhere near a Gbit; only a few Mbit. I've got a pi I could experiment with, as well as a couple of old routers that could probably do the job, but the thought of managing another box and keeping it up to date is depressing. Especially when it HAS to work. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2019-02-02 a las 22:51 -0000, Dave Howorth escribió:
On Sat, 2 Feb 2019 23:25:27 +0100 Peter Suetterlin <pit@astro.su.se> wrote:
Dave Howorth wrote:
...
Thanks for answering my questions, Peter, and giving me some more to think about. Apologies for all for mnemonic confusion; I meant WLAN rather than WAN, of course. It's the phones and IoT devices on the network that cause me most concern; I'm not so much worried about the state of my Linux boxes.
The IoT gadgets probably "phone home" to register on some external site. The apps on phones typically connect to this external site, who then tells the gadgets how to react. It is this last aspect which I do not have clear: maybe the gadgets just keep an outgoing connection to the internet server, so they are not affected by any firewall you may setup. If the connection is incoming, then I'm unsure. There are protocols "that just work" but pose a security risk. That's how the latest's attack on the Chromecasts were done. My only IoT gadget is not registered outside, is only accessible inside, so no risk, AFAIK. The actual risk I found is that once it lost Ethernet connectivity, thus failing on its mission and purpose in life. - -- Cheers Carlos E. R. (from openSUSE Leap 15.0 x86_64 (Minas Tirith)) -----BEGIN PGP SIGNATURE----- iJIEAREIADoWIQQt/vKEw5659AgM/X2NrxRtxRYzXAUCXFYxARwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJEI2vFG3FFjNcesQA/A8KSU8GHLSompU426Fn C8/cz1zkWBBnreC9RztiPDh3AQCeWoGh8bRJZbGSG9Cs7/ez59j9gcOhvrFGIwdU haLvvQ== =XYv7 -----END PGP SIGNATURE-----
On Sun, 3 Feb 2019 01:08:32 +0100 (CET) "Carlos E. R." <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2019-02-02 a las 22:51 -0000, Dave Howorth escribió:
On Sat, 2 Feb 2019 23:25:27 +0100 Peter Suetterlin <pit@astro.su.se> wrote:
Dave Howorth wrote:
...
Thanks for answering my questions, Peter, and giving me some more to think about. Apologies for all for mnemonic confusion; I meant WLAN rather than WAN, of course. It's the phones and IoT devices on the network that cause me most concern; I'm not so much worried about the state of my Linux boxes.
The IoT gadgets probably "phone home" to register on some external site. The apps on phones typically connect to this external site, who then tells the gadgets how to react. It is this last aspect which I do not have clear: maybe the gadgets just keep an outgoing connection to the internet server, so they are not affected by any firewall you may setup. If the connection is incoming, then I'm unsure. There are protocols "that just work" but pose a security risk. That's how the latest's attack on the Chromecasts were done.
Connections have to be outgoing. They can't be incoming because of NAT and no open ports on the router; not to mention dynamic IP assignment by my ISP. So there are never any 'designed' incoming connections. And I see no evidence of 'naughty' connections in my router's logs, but then I wouldn't expect to if it were compromised.
My only IoT gadget is not registered outside, is only accessible inside, so no risk, AFAIK. The actual risk I found is that once it lost Ethernet connectivity, thus failing on its mission and purpose in life.
Well right, as long as the network remains secure, which is why I am asking about securing the network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/02/2019 11.44, Dave Howorth wrote:
On Sun, 3 Feb 2019 01:08:32 +0100 (CET) "Carlos E. R." <> wrote:
El 2019-02-02 a las 22:51 -0000, Dave Howorth escribió:
On Sat, 2 Feb 2019 23:25:27 +0100 Peter Suetterlin <> wrote:
Dave Howorth wrote:
...
Thanks for answering my questions, Peter, and giving me some more to think about. Apologies for all for mnemonic confusion; I meant WLAN rather than WAN, of course. It's the phones and IoT devices on the network that cause me most concern; I'm not so much worried about the state of my Linux boxes.
The IoT gadgets probably "phone home" to register on some external site. The apps on phones typically connect to this external site, who then tells the gadgets how to react. It is this last aspect which I do not have clear: maybe the gadgets just keep an outgoing connection to the internet server, so they are not affected by any firewall you may setup. If the connection is incoming, then I'm unsure. There are protocols "that just work" but pose a security risk. That's how the latest's attack on the Chromecasts were done.
Connections have to be outgoing. They can't be incoming because of NAT and no open ports on the router; not to mention dynamic IP assignment by my ISP. So there are never any 'designed' incoming connections. And I see no evidence of 'naughty' connections in my router's logs, but then I wouldn't expect to if it were compromised.
That's not exact, because there are modern protocols that can be used from inside machines to tell to router to open a port for incoming connection. <https://en.wikipedia.org/wiki/Universal_Plug_and_Play> «One solution for NAT traversal, called the Internet Gateway Device Protocol (IGD Protocol), is implemented via UPnP. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.» Exploit: <https://gizmodo.com/dual-upnp-chromecast-exploit-allows-hacker-to-hijack-de-1831446345> Hackers Take Over Chromecast Device to Warn Users, Plug YouTuber PewDiePie Then, if you are using VoIP solutions, it is very possibly there is some NAT traversal solution in place. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On Sun, 3 Feb 2019 13:56:07 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 03/02/2019 11.44, Dave Howorth wrote:
On Sun, 3 Feb 2019 01:08:32 +0100 (CET) "Carlos E. R." <> wrote:
El 2019-02-02 a las 22:51 -0000, Dave Howorth escribió:
On Sat, 2 Feb 2019 23:25:27 +0100 Peter Suetterlin <> wrote:
Dave Howorth wrote:
...
Thanks for answering my questions, Peter, and giving me some more to think about. Apologies for all for mnemonic confusion; I meant WLAN rather than WAN, of course. It's the phones and IoT devices on the network that cause me most concern; I'm not so much worried about the state of my Linux boxes.
The IoT gadgets probably "phone home" to register on some external site. The apps on phones typically connect to this external site, who then tells the gadgets how to react. It is this last aspect which I do not have clear: maybe the gadgets just keep an outgoing connection to the internet server, so they are not affected by any firewall you may setup. If the connection is incoming, then I'm unsure. There are protocols "that just work" but pose a security risk. That's how the latest's attack on the Chromecasts were done.
Connections have to be outgoing. They can't be incoming because of NAT and no open ports on the router; not to mention dynamic IP assignment by my ISP. So there are never any 'designed' incoming connections. And I see no evidence of 'naughty' connections in my router's logs, but then I wouldn't expect to if it were compromised.
That's not exact, because there are modern protocols that can be used from inside machines to tell to router to open a port for incoming connection.
It is exact because I'm not stupid enough to enable UPnP! :) Nor would I enable any other protocol that allowed inward connections through my router.
«One solution for NAT traversal, called the Internet Gateway Device Protocol (IGD Protocol), is implemented via UPnP. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.»
Exploit:
<https://gizmodo.com/dual-upnp-chromecast-exploit-allows-hacker-to-hijack-de-1831446345> Hackers Take Over Chromecast Device to Warn Users, Plug YouTuber PewDiePie
Then, if you are using VoIP solutions, it is very possibly there is some NAT traversal solution in place.
No VoIP here. We love POTS with an unpowered phone, as I said. I like to think it will keep working even if the whole Internet is fried. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/03/2019 03:10 PM, Dave Howorth wrote:
No VoIP here. We love POTS with an unpowered phone, as I said. I like to think it will keep working even if the whole Internet is fried.
The whole world is moving to IP, including the phone system. Also, your "unpowered" phone gets power from somewhere, unless it's two cans and a string. This means batteries and power backup. The batteries used to be in the central office, but now are often located elsewhere, closer to the customer. Also, with the move to fibre, there's no longer a copper path back to the CO for power, for many phones. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 3 Feb 2019 15:17:28 -0500 James Knott <james.knott@jknott.net> wrote:
On 02/03/2019 03:10 PM, Dave Howorth wrote:
No VoIP here. We love POTS with an unpowered phone, as I said. I like to think it will keep working even if the whole Internet is fried.
The whole world is moving to IP, including the phone system. Also, your "unpowered" phone gets power from somewhere, unless it's two cans and a string. This means batteries and power backup. The batteries used to be in the central office, but now are often located elsewhere, closer to the customer. Also, with the move to fibre, there's no longer a copper path back to the CO for power, for many phones.
Aw shucks, you blew my lifelong cuddly blanket away :) I do tend to think that Openreach probably spends more time thinking about keeping the power on than I do though, so I'll keep my part simple. I once spent some time working with a telecoms supplier in London. They supplied ATM connections so clock was important to them. Their main timing was provided by a GPS clock. The backup was another GPS clock. They had another two backups that were GPS clocks. Only after all four had failed did they get to the fourth backup, which was an atomic clock. They still had to shut their entire network down one weekend because somebody had wired the incoming mains incorrectly when the place was first built. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/03/2019 04:04 PM, Dave Howorth wrote:
I once spent some time working with a telecoms supplier in London. They supplied ATM connections so clock was important to them.
Many years ago, before ATM, the phone network reference clock was derived from the Loran C navigation signal. We had Austron clocks, which used that signal and distributed the timing signal to the network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/02/2019 22.20, James Knott wrote:
On 02/03/2019 04:04 PM, Dave Howorth wrote:
I once spent some time working with a telecoms supplier in London. They supplied ATM connections so clock was important to them.
Many years ago, before ATM, the phone network reference clock was derived from the Loran C navigation signal. We had Austron clocks, which used that signal and distributed the timing signal to the network.
In this context, what is ATM? Automated teller machine? Asynchronous transfer mode? I suppose the later. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 02/04/2019 06:38 AM, Carlos E. R. wrote:
On 02/03/2019 04:04 PM, Dave Howorth wrote:
I once spent some time working with a telecoms supplier in London. They supplied ATM connections so clock was important to them. Many years ago, before ATM, the phone network reference clock was derived from the Loran C navigation signal. We had Austron clocks, which used that signal and distributed the timing signal to the network. In this context, what is ATM? Automated teller machine? Asynchronous
On 03/02/2019 22.20, James Knott wrote: transfer mode? I suppose the later.
Given that we were mentioning telecom, asynchronous transfer mode. It was a great be all to end all tech that really didn't go very far beyond telecom use. At one point, it was even supposed to network computers. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/02/2019 23:04, Dave Howorth wrote:
On Sun, 3 Feb 2019 15:17:28 -0500 James Knott<james.knott@jknott.net> wrote:
On 02/03/2019 03:10 PM, Dave Howorth wrote:
No VoIP here. We love POTS with an unpowered phone, as I said. I like to think it will keep working even if the whole Internet is fried. The whole world is moving to IP, including the phone system
- Nostalgia : POTS : i agree. - here , greek "Cosmote" provides IP including phone - these days , seems whole system relies on someone's whim : Daily , we get cut off , at random times : No Phone & No Internet , often for 2 or 3 hours : in many ways , Life is most Un-Certain ....... regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/02/2019 21.10, Dave Howorth wrote:
On Sun, 3 Feb 2019 13:56:07 +0100 "Carlos E. R." <> wrote:
...
It is exact because I'm not stupid enough to enable UPnP! :) Nor would I enable any other protocol that allowed inward connections through my router.
No gamers at your home, I guess? :-p
Then, if you are using VoIP solutions, it is very possibly there is some NAT traversal solution in place.
No VoIP here. We love POTS with an unpowered phone, as I said. I like to think it will keep working even if the whole Internet is fried.
Ha! My house phones are apparently POTS. But the connection to the outside is the internet fibre, which doesn't carry electricity, you know. It is VoIp there. There is a gadget inside my home who does the translation, and has no battery backup. If the electricity goes down, I don't have a phone to call the technician or the company. The funny thing is that the same telephone company refuses to supply VoIP. The intention is to migrate everybody to VoIP internally and thus phase out the telephone switches. Those that refuse to migrate will probably be connected to some interconnection modules, either inside the homes, or outside, where they don't see them. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 02/04/2019 06:48 AM, Carlos E. R. wrote:
Ha! My house phones are apparently POTS. But the connection to the outside is the internet fibre, which doesn't carry electricity, you know. It is VoIp there. There is a gadget inside my home who does the translation, and has no battery backup. If the electricity goes down, I don't have a phone to call the technician or the company.
The funny thing is that the same telephone company refuses to supply VoIP.
My home "pots" phone has a terminal connected to the cable TV network. However, there is a battery in the terminal and the cable company also has batteries in the nodes throughout the network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dave Howorth wrote:
Thanks for answering my questions, Peter, and giving me some more to think about. Apologies for all for mnemonic confusion; I meant WLAN rather than WAN, of course. It's the phones and IoT devices on the network that cause me most concern; I'm not so much worried about the state of my Linux boxes.
You can create subnets on the same network. E.g., in our observatory the servers ethernet port has a second address in the 192.168 range, and unknown devices (like phones and tablets from visitors) get an address in that range. Although on the same physical net, that way they lack the rights that other 'official' computers in there do have.
I hadn't even got as far in my thinking as remembering the need for two ethernet ports. How do the pi systems handle that? I had wondered whether a pi would be fast enough. My ADSL line is nowhere near a Gbit; only a few Mbit.
Then a Pi for sure would be enough. You'd need an USB network device as second port (also the 'real' ethernet of the Pi sits on the USB bus IIRC - the reason it doesn't really reach the full speed of a Gbit).
I've got a pi I could experiment with, as well as a couple of old routers that could probably do the job, but the thought of managing another box and keeping it up to date is depressing. Especially when it HAS to work.
Well, OOTB routers are of course fine and convenient. The problem is you tend to forget about them - and also about keeping them up to date :o Security and unattended operation don't go together too well.... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-02-02 5:51 p.m., Dave Howorth wrote:
Thanks for answering my questions, Peter, and giving me some more to think about. Apologies for all for mnemonic confusion; I meant WLAN rather than WAN, of course. It's the phones and IoT devices on the network that cause me most concern; I'm not so much worried about the state of my Linux boxes.
My router does have a basic firewall as well as NAT and I don't have online gaming or any other fancy features enabled. I use a POTS line (with an unpowered handset for power failure scenarios).
I run one of two things, either a Thompson cable router that is an 'all in one' which offers the NAT to 4 Ethernet + wifi, or a Thompson cable router the offers a singe Ethernet port that I then run to a Netgear ProSafe Firewall/switch which I can make look like a NAT. I plug a Linksys wifi router into that. What this amounts to, however I cook it, boils down to Cable -> router -> NAT(Ethernet, wifi) We can drown arguing over details. like you I don't have any special ports open for gaming, though I keep thinking about mapping through to Postfix and/or Apache if I ever resurrect my DynDNS account. But lets leave that out of the discussion. James correctly points out that NAY is not a security mechanism. Well he's correct in absolute terms; NAT can't be relied on for security. But that doesn't mean that the routers which incorporate NAT can't be made more robust. I'm not saying that they will withstand any kind of determined attack, only that they can be configured so as not the be in CFM mode and not open to automated drive-by scans for glaring weaknesses. And, to be honest, that's an aspect of the router software rather than anthing to with NAT. Of course there's also stuff like https://wiki.dd-wrt.com/wiki/index.php/Main_Page and the main advantage of DD-WRT is that it is easier to install updates than most vendor's systems! Don't scoff - that is very much a security advantage. https://wiki.dd-wrt.com/wiki/index.php/KRACK_Vulnerability_and_DD-WRT And DD-WRT provides additional security features such as iptables as well as add-on features to monitor the traffics and utilization. And Pi? https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi The basic Pi only has 1 ethernet port so its not possible to be used as router. But there are other boards that use ARM processors that have more on the board. Go google. ========================================= As I said above, real world routers do more that just NAT. My Thompson can do packet inspection on web traffic: Web Content Filter : This page allows certain Web-oriented cookies, java scripts, and pop-up windows to be blocked by the firewall. A list of "trusted computers" can also be defined that are not subject to any filters configured. Specific Firewall features can also be enabled. It is highly recommended that the Firewall is left enabled at all times for protection against Denial of Service attacks. Go to the Parental Control page to block internet access to specific sites. It then goes on to list: Web Features Filter Proxy [] Enable Filter Cookies [] Enable Filter Java Applets [] Enable Filter ActiveX [] Enable Filter Popup Windows [] Enable Block Fragmented IP Packets [] Enable Port Scan Detection [] Enable IP Flood Detection [] Enable Firewall Protection [] Enable One presumes the argument is that you have all that CPU power, why not do something with it? After all, that is a 'security' feature that one does find on firewalls. Now the above or something similar may or may not be available on your specific hardware, but what you might have, probably have, is some kind of filtering, be it by IP port/range or by MAC address. That may require a bit of thought about address assignment , and some of it seems to be denial of specifics rather than allowing specifics. YMMV. Again this is a form of security we sometimes see on firewalls and it has nothing to do with NAT. My advice? Go directly to OpenWrt or DD-WRT (but maybe not with a Pi) and install a full-featured router with NAT AND stuff like iptables, which is familiar and for which there is a lot of support. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dave, et al -- ...and then Dave Howorth said... % % I've been thinking about security a bit. Most of my home security ... % putting another dedicated machine in between my router and my network % to make it harder to penetrate. My router also provides my WAN, FWIW. % % Is this at all sane? Would openSUSE make a good basis for the machine? % What software would I need to run on it? What hardware power would I % need? I've enjoyed this discussion. I've wondered about the whole IoT thing myself. I'm lazy, too, so if I were going to tackle it, I'd probably create a network for all of those pieces -- and perhaps also houseguests -- that puts all of that in a sandbox so that none of it can see my machines. I'd likely put it "inside" and have that router/firewall go out through my trusted network so that I don't have to rely on MY traffic going through THAT network, but I also admit that I haven't thought about this a while lot :-) % % TIA, Dave HTH & HANW :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/2/19 1:28 PM, Dave Howorth wrote:
Most of my home security depends on my ADSL router and especially on the NAT it provides.
Setting a proper FW at the entry point is the most effective way. That's why it's called a FireWall -- peaceful world inside of it whatever you have inside. My suggestion is: 1) find a proper FW that suits your need, satisfaction and budget, either a PC/server based (of course with two NICs:inside and outside) or a dedicated box/chassis based (always come with 2+ interfaces for both sides), and hopefully coming with a subscription to update virus/malware/etc. signature database as soon as possible. In other words, look for a business class FW targeted at home offices. 2) Put your vendor ADSL router/modem in modem/bridge mode, so that the FW in 1) behind the vendor modem can handle NAT/VIP and all other firewalling needs. Toshi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Toshi, et al -- ...and then Toshi Esumi said... % % On 2/2/19 1:28 PM, Dave Howorth wrote: % ... % 2) Put your vendor ADSL router/modem in modem/bridge mode, so that % the FW in 1) behind the vendor modem can handle NAT/VIP and all % other firewalling needs. But that puts a "good" server on the same network as all of those IoT devices. Shouldn't we want the fridge and the thermostat and so on to not even be able to see a computer we want to protect? % % % Toshi HANW :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/2/19 8:47 PM, David T-G wrote:
...and then Toshi Esumi said... % % On 2/2/19 1:28 PM, Dave Howorth wrote: % ... % 2) Put your vendor ADSL router/modem in modem/bridge mode, so that % the FW in 1) behind the vendor modem can handle NAT/VIP and all % other firewalling needs.
But that puts a "good" server on the same network as all of those IoT devices. Shouldn't we want the fridge and the thermostat and so on to not even be able to see a computer we want to protect?
Ok, I guess I should have put 3). 3) have a cheap VLAN capable switch to do internal segmentation and trunk all segments (either with VLANs or multiple ports if the FW chassis has them) pulled to the FW without interconnecting them together. The FW should be the gateway between segments. But IoT devices never get hacked or virus infected unless it's connected to the internet. And the FW is controlling both those IoT devices and your servers, etc. I don't mind putting them together at my home as long as those are behind a solid FW, which I have a hadware-based+subscription-based one. Of course, if something that has another way to connect to the interet, like 4G/5G phones/tablet.etc, (I don't connect them to LAN, other than WiFi, which is connected to the same FW), you need to take care of that side separately. Beacuuse that's another "Point ot Entry from the Intenet". You need FWs on those too probably at device level. Toshi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 2 Feb 2019 21:14:33 -0800 Toshi Esumi <suse_email2@toshiesumi.com> wrote:
On 2/2/19 8:47 PM, David T-G wrote:
...and then Toshi Esumi said... % % On 2/2/19 1:28 PM, Dave Howorth wrote: % ... % 2) Put your vendor ADSL router/modem in modem/bridge mode, so that % the FW in 1) behind the vendor modem can handle NAT/VIP and all % other firewalling needs.
But that puts a "good" server on the same network as all of those IoT devices. Shouldn't we want the fridge and the thermostat and so on to not even be able to see a computer we want to protect?
Ok, I guess I should have put 3).
3) have a cheap VLAN capable switch to do internal segmentation and trunk all segments (either with VLANs or multiple ports if the FW chassis has them) pulled to the FW without interconnecting them together. The FW should be the gateway between segments.
But IoT devices never get hacked or virus infected unless it's connected to the internet. And the FW is controlling both those IoT devices and your servers, etc. I don't mind putting them together at my home as long as those are behind a solid FW, which I have a hadware-based+subscription-based one. Of course, if something that has another way to connect to the interet, like 4G/5G phones/tablet.etc, (I don't connect them to LAN, other than WiFi, which is connected to the same FW), you need to take care of that side separately. Beacuuse that's another "Point ot Entry from the Intenet". You need FWs on those too probably at device level.
Toshi
Thanks David and Toshi. Between you I think you've identified a good strategy for me. I'll start looking for a suitable device or devices. We don't let phones etc connect to the Internet except via our wi-fi, and my wife is aware not to click on links etc so hopefully they're reasonably safe. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/02/2019 06.14, Toshi Esumi wrote:
On 2/2/19 8:47 PM, David T-G wrote:
...and then Toshi Esumi said... % % On 2/2/19 1:28 PM, Dave Howorth wrote: % ... % 2) Put your vendor ADSL router/modem in modem/bridge mode, so that % the FW in 1) behind the vendor modem can handle NAT/VIP and all % other firewalling needs.
But that puts a "good" server on the same network as all of those IoT devices. Shouldn't we want the fridge and the thermostat and so on to not even be able to see a computer we want to protect?
Ok, I guess I should have put 3).
3) have a cheap VLAN capable switch to do internal segmentation and trunk all segments (either with VLANs or multiple ports if the FW chassis has them) pulled to the FW without interconnecting them together. The FW should be the gateway between segments.
But IoT devices never get hacked or virus infected unless it's connected to the internet. And the FW is controlling both those IoT devices and your servers, etc.
Nope. They connect from inside to an outside server. Firewalls do not block those connections by default. And blocking them negates the utility to control the sitting room intelligent lamp from the phone... -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
Carlos, et al -- ...and then Carlos E. R. said... % % On 03/02/2019 05.47, David T-G wrote: % > % > But that puts a "good" server on the same network as all of those IoT % > devices. Shouldn't we want the fridge and the thermostat and so on to % > not even be able to see a computer we want to protect? % % Certainly not. % % I have an intelligent fridge, for sure I want to talk to it from home % and maybe from outside too. Yes. The computer can talk to the fridge, but the fridge shouldn't see the computer. % % What good is an intelligent toaster if I can not see when the toast is % ready from my android phone or my computer? I might buy instead a toaster. *grin* ...and then Carlos E. R. said... % % On 03/02/2019 06.14, Toshi Esumi wrote: % > ... % > But IoT devices never get hacked or virus infected unless it's connected % > to the internet. And the FW is controlling both those IoT devices and % > your servers, etc. % ... % those connections by default. And blocking them negates the utility to % control the sitting room intelligent lamp from the phone... It may well be that one can talk directly to the fridge without going out to its central web server. I dunno; my thermostat, for instance, isn't like that. But if you have your trusted machines (and maybe your phone) in the safe network, they can still see the fridge in the outer ring. If you put your phone on the outer ring, then it can see them directly. Sooooo... How doesn't it work? HANW :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/02/2019 15.59, David T-G wrote:
Carlos, et al --
...and then Carlos E. R. said... % % On 03/02/2019 05.47, David T-G wrote: % > % > But that puts a "good" server on the same network as all of those IoT % > devices. Shouldn't we want the fridge and the thermostat and so on to % > not even be able to see a computer we want to protect? % % Certainly not. % % I have an intelligent fridge, for sure I want to talk to it from home % and maybe from outside too.
Yes. The computer can talk to the fridge, but the fridge shouldn't see the computer.
Why not? The fridge may have important things to tell me when he wants Like, hey, you have to buy more butter. :-)
% % What good is an intelligent toaster if I can not see when the toast is % ready from my android phone or my computer? I might buy instead a toaster.
*grin*
:-)
...and then Carlos E. R. said... % % On 03/02/2019 06.14, Toshi Esumi wrote: % > ... % > But IoT devices never get hacked or virus infected unless it's connected % > to the internet. And the FW is controlling both those IoT devices and % > your servers, etc. % ... % those connections by default. And blocking them negates the utility to % control the sitting room intelligent lamp from the phone...
It may well be that one can talk directly to the fridge without going out to its central web server. I dunno; my thermostat, for instance, isn't like that. But if you have your trusted machines (and maybe your phone) in the safe network, they can still see the fridge in the outer ring. If you put your phone on the outer ring, then it can see them directly. Sooooo... How doesn't it work?
I only have one IoT thing, a controllable power strip, and I bought one that is controllable from inside. But it is designed to be controlled from outside, by registering on some outside server on a fixed IP. The android app connects to that server, not to the internal IP. But I don't use it, I didn't register. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On Sun, 3 Feb 2019 16:22:11 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 03/02/2019 15.59, David T-G wrote:
Carlos, et al --
...and then Carlos E. R. said... % % On 03/02/2019 05.47, David T-G wrote: % > % > But that puts a "good" server on the same network as all of those IoT % > devices. Shouldn't we want the fridge and the thermostat and so on to % > not even be able to see a computer we want to protect? % % Certainly not. % % I have an intelligent fridge, for sure I want to talk to it from home % and maybe from outside too.
Yes. The computer can talk to the fridge, but the fridge shouldn't see the computer.
Why not? The fridge may have important things to tell me when he wants Like, hey, you have to buy more butter. :-)
Please change the subject or better, start a new thread if you wish to go off topic. And the answer to your implied question is that there are both pull and push technologies that allow notifications. Choose the appropriate one. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/02/2019 21.18, Dave Howorth wrote:
On Sun, 3 Feb 2019 16:22:11 +0100 "Carlos E. R." <> wrote:
On 03/02/2019 15.59, David T-G wrote:
Carlos, et al --
...and then Carlos E. R. said... % % On 03/02/2019 05.47, David T-G wrote: % > % > But that puts a "good" server on the same network as all of those IoT % > devices. Shouldn't we want the fridge and the thermostat and so on to % > not even be able to see a computer we want to protect? % % Certainly not. % % I have an intelligent fridge, for sure I want to talk to it from home % and maybe from outside too.
Yes. The computer can talk to the fridge, but the fridge shouldn't see the computer.
Why not? The fridge may have important things to tell me when he wants Like, hey, you have to buy more butter. :-)
Please change the subject or better, start a new thread if you wish to go off topic.
And the answer to your implied question is that there are both pull and push technologies that allow notifications. Choose the appropriate one.
I don't wish to go offtopic. I'm only saying that gadgets inside the house need to communicate with outside to work, and that your chosen firewalling solution must attend to those modern needs. I don't think that using different networks at home is the appropriate way, limiting functionality. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
Carlos E. R. wrote:
I don't wish to go offtopic. I'm only saying that gadgets inside the house need to communicate with outside to work, and that your chosen firewalling solution must attend to those modern needs.
Anything on the inside communicating with the outside is usually not a problem, as long as the inside initiates the connection. (tcp). With udp, you some times need a different solution.
I don't think that using different networks at home is the appropriate way, limiting functionality.
Hmm, I would say it is both easy and appropriate - with DHCP it is easy to dish out the appropriate addresses and the firewall is easily set up to provide different privileges depending on the subnet. For instance, any unknown (undefined) device on my network is given addresses in a separate range, and given very limited access. This is for friends visiting with mobile devices. Similar with our VoIP devices. -- Per Jessen, Zürich (0.3°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2019-02-04 at 13:56 +0100, Per Jessen wrote:
Carlos E. R. wrote:
I don't wish to go offtopic. I'm only saying that gadgets inside the house need to communicate with outside to work, and that your chosen firewalling solution must attend to those modern needs.
Anything on the inside communicating with the outside is usually not a problem, as long as the inside initiates the connection. (tcp). With udp, you some times need a different solution.
Yes, that's the current solution used by IoT gadgets. He says he is not using any of those, though. I use one in local mode only, so it is secure.
I don't think that using different networks at home is the appropriate way, limiting functionality.
Hmm, I would say it is both easy and appropriate - with DHCP it is easy to dish out the appropriate addresses and the firewall is easily set up to provide different privileges depending on the subnet. For instance, any unknown (undefined) device on my network is given addresses in a separate range, and given very limited access. This is for friends visiting with mobile devices. Similar with our VoIP devices.
That's a feature I miss on my setup; but on the other hand, I want mutual access between my computer and my gadgets, like the Chromecast: I can launch movies from my computer or phones, and also play movies stored on a local computer. Placing the Chromecast on another vlan would break features. To do that, I had to open ports on those computers. As it is not clear which ports, I opened all (to that IP), hoping to limit them at some point when I find out more. Otherwise, Chrome does not find the Chromecast device. - -- Cheers, Carlos E. R. (from openSUSE 15.0 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXFg9mhwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfV6dEAnROC5tb4GfjJJQUewLuM aniZYvGHAKCKWGbMCvrK+uxsURELdL1YdY9wMQ== =V8yF -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
I don't think that using different networks at home is the appropriate way, limiting functionality.
Hmm, I would say it is both easy and appropriate - with DHCP it is easy to dish out the appropriate addresses and the firewall is easily set up to provide different privileges depending on the subnet. For instance, any unknown (undefined) device on my network is given addresses in a separate range, and given very limited access. This is for friends visiting with mobile devices. Similar with our VoIP devices.
That's a feature I miss on my setup; but on the other hand, I want mutual access between my computer and my gadgets, like the Chromecast: I can launch movies from my computer or phones, and also play movies stored on a local computer. Placing the Chromecast on another vlan would break features.
Nobody mentioned vlans (yet) - only subnetting. Regardless, even if you used vlans, you can still route between them, they don't break features. -- Per Jessen, Zürich (0.9°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/04/2019 09:08 AM, Per Jessen wrote:
Nobody mentioned vlans (yet) - only subnetting. Regardless, even if you used vlans, you can still route between them, they don't break features.
VLANs are beyond the capability of most consumer routers, though managed switches, capable of VLANs, are now fairly cheap. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/04/2019 07:56 AM, Per Jessen wrote:
I don't think that using different networks at home is the appropriate way, limiting functionality. Hmm, I would say it is both easy and appropriate - with DHCP it is easy to dish out the appropriate addresses and the firewall is easily set up to provide different privileges depending on the subnet. For instance, any unknown (undefined) device on my network is given addresses in a separate range, and given very limited access. This is for friends visiting with mobile devices. Similar with our VoIP devices.
Many home routers support guest WiFi, which only allows access to the Internet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2019-02-04 a las 09:03 -0500, James Knott escribió:
On 02/04/2019 07:56 AM, Per Jessen wrote:
I don't think that using different networks at home is the appropriate way, limiting functionality. Hmm, I would say it is both easy and appropriate - with DHCP it is easy to dish out the appropriate addresses and the firewall is easily set up to provide different privileges depending on the subnet. For instance, any unknown (undefined) device on my network is given addresses in a separate range, and given very limited access. This is for friends visiting with mobile devices. Similar with our VoIP devices.
Many home routers support guest WiFi, which only allows access to the Internet.
I just tried mine. It offers 3 or 4 guest keys. I activated #1, connected my other laptop to it, and could ping any host in my lan, could ssh to my desktop machine just fine. :-(( The only advantage is not giving them my main password, and changing to another when the guest leaves. So, don't assume guest wifi is isolated. The only thing mine does is something the router calls "isolate clients" (activated), disable WMM advertise, enable WMF, and limit the number of clients. - -- Cheers Carlos E. R. (from openSUSE Leap 15.0 x86_64 (Minas Tirith)) -----BEGIN PGP SIGNATURE----- iJIEAREIADoWIQQt/vKEw5659AgM/X2NrxRtxRYzXAUCXFjrDxwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJEI2vFG3FFjNccfIA/iqbPQma/zkHBe38BLg/ fecvsN342QMF39pD40buFc6WAP9n+EbQ+Trn6WPIoNH4gcHpbZEEZ0hToSr9iyda 8TTPQQ== =vX79 -----END PGP SIGNATURE-----
On 03/02/2019 05.47, David T-G wrote:
Toshi, et al --
...and then Toshi Esumi said... % % On 2/2/19 1:28 PM, Dave Howorth wrote: % ... % 2) Put your vendor ADSL router/modem in modem/bridge mode, so that % the FW in 1) behind the vendor modem can handle NAT/VIP and all % other firewalling needs.
But that puts a "good" server on the same network as all of those IoT devices. Shouldn't we want the fridge and the thermostat and so on to not even be able to see a computer we want to protect?
Certainly not. I have an intelligent fridge, for sure I want to talk to it from home and maybe from outside too. What good is an intelligent toaster if I can not see when the toast is ready from my android phone or my computer? I might buy instead a toaster. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On Sun, 3 Feb 2019 14:01:16 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 03/02/2019 05.47, David T-G wrote:
Toshi, et al --
...and then Toshi Esumi said... % % On 2/2/19 1:28 PM, Dave Howorth wrote: % ... % 2) Put your vendor ADSL router/modem in modem/bridge mode, so that % the FW in 1) behind the vendor modem can handle NAT/VIP and all % other firewalling needs.
But that puts a "good" server on the same network as all of those IoT devices. Shouldn't we want the fridge and the thermostat and so on to not even be able to see a computer we want to protect?
Certainly not.
I have an intelligent fridge, for sure I want to talk to it from home and maybe from outside too.
What good is an intelligent toaster if I can not see when the toast is ready from my android phone or my computer? I might buy instead a toaster.
For the avoidance of doubt, I'm not interested in allowing smart fridges and suchlike in my house. I expressly have no wish to observe or control anything from a phone or tablet. And absolutely, definitely no inbound connections from devices outside the home network. Your approach is obviously different, Carlos, but please don't confuse people answering my thread. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-02-02 11:47 p.m., David T-G wrote:
But that puts a "good" server on the same network as all of those IoT devices. Shouldn't we want the fridge and the thermostat and so on to not even be able to see a computer we want to protect?
Not a problem. The hardware routers I have all have a 'DMZ Host' address option. And that can be a router/gateway to a subnet. A while back I ran a PC based firewall: "IPCop". You could run as many 'subnets' or 'DMZ hosts' as you were willing to plug in additional Ethernet cards. http://ipcop.sourceforge.net/ <quote src="https://www.techradar.com/news/best-free-linux-firewall"> IPCop was originally a fork of Smoothwall (which we’ll also cover later) and was in turn forked by the IPFire team as updates to IPCop are few and far between. The most recent version (2.1.9) was released in February 2015. Installation is relatively straightforward, but there are some wildcard questions thrown into the mix. While these may puzzle the novice user, accepting the default options won't cause any issues unless you have a very specific network configuration. One of the main advantages of IPCop is that the installation image is very small (around 60MB) and can be copied onto a DVD or flash drive. IPCop's web interface feels clunky, although our tests proved that this was merely psychological, because it was actually incredibly responsive. However, other than the 'real-time' graphs that Smoothwall provides, IPCop gives a lot more information about your LAN setup, and about the running of the firewall itself, including a list of the connections that are currently open. The Firewall also provides a 'caching proxy', so that you can cache frequently accessed pages locally. IPCop does a good job as a firewall, giving plenty of information about traffic on your network, and while it might not be the prettiest distro in the world, it does what it's designed to do. </quote> Why did I stop using it? A couple of reasons: 1. The integrated Thompson unit is slim 2. I really wasn't interested in watching all the information IPCop could supply Perhaps with a small Pi-sized version I'd revise #1. I don't need 'pretty'. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Toshi Esumi wrote:
On 2/2/19 1:28 PM, Dave Howorth wrote:
Most of my home security depends on my ADSL router and especially on the NAT it provides.
Setting a proper FW at the entry point is the most effective way. That's why it's called a FireWall -- peaceful world inside of it whatever you have inside. My suggestion is:
1) find a proper FW that suits your need, satisfaction and budget, either a PC/server based (of course with two NICs:inside and outside) or a dedicated box/chassis based (always come with 2+ interfaces for both sides), and hopefully coming with a subscription to update virus/malware/etc. signature database as soon as possible. In other words, look for a business class FW targeted at home offices.
Hopefully I don't offend anyone, but buying a business class FW with an annual license is overkill and really only for IT managers. For protecting Dave's home network, a Raspi with openSUSE and iptables will suffice. Dave said he has ADSL, so no more than 100Mbit/s downlink which the Raspi (or similar) will easily handle. For comparison, think of what kind of CPU might be sat in the ADSL modem.
2) Put your vendor ADSL router/modem in modem/bridge mode, so that the FW in 1) behind the vendor modem can handle NAT/VIP and all other firewalling needs.
Agree. -- Per Jessen, Zürich (-5.0°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/02/2019 08.15, Per Jessen wrote:
Toshi Esumi wrote:
On 2/2/19 1:28 PM, Dave Howorth wrote:
Hopefully I don't offend anyone, but buying a business class FW with an annual license is overkill and really only for IT managers. For protecting Dave's home network, a Raspi with openSUSE and iptables will suffice. Dave said he has ADSL, so no more than 100Mbit/s downlink which the Raspi (or similar) will easily handle. For comparison, think of what kind of CPU might be sat in the ADSL modem.
I wonder if there is some suitable hardware out there that can run openWrt software easily. <https://en.wikipedia.org/wiki/OpenWrt> A router based on that would get updates and is easy to configure and maintain. <https://openwrt.org/toh/buyerguide> -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
Op maandag 4 februari 2019 13:03:50 CET schreef Carlos E. R.:
On 04/02/2019 08.15, Per Jessen wrote:
On 2/2/19 1:28 PM, Dave Howorth wrote: Hopefully I don't offend anyone, but buying a business class FW with an annual license is overkill and really only for IT managers. For
Toshi Esumi wrote: protecting Dave's home network, a Raspi with openSUSE and iptables will suffice. Dave said he has ADSL, so no more than 100Mbit/s downlink which the Raspi (or similar) will easily handle. For comparison, think of what kind of CPU might be sat in the ADSL modem.
I wonder if there is some suitable hardware out there that can run openWrt software easily.
<https://en.wikipedia.org/wiki/OpenWrt>
A router based on that would get updates and is easy to configure and maintain.
<https://openwrt.org/toh/buyerguide> https://openwrt.org/toh/start
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/02/2019 13.09, Knurpht-openSUSE wrote:
Op maandag 4 februari 2019 13:03:50 CET schreef Carlos E. R.:
On 04/02/2019 08.15, Per Jessen wrote:
On 2/2/19 1:28 PM, Dave Howorth wrote: Hopefully I don't offend anyone, but buying a business class FW with an annual license is overkill and really only for IT managers. For
Toshi Esumi wrote: protecting Dave's home network, a Raspi with openSUSE and iptables will suffice. Dave said he has ADSL, so no more than 100Mbit/s downlink which the Raspi (or similar) will easily handle. For comparison, think of what kind of CPU might be sat in the ADSL modem.
I wonder if there is some suitable hardware out there that can run openWrt software easily.
<https://en.wikipedia.org/wiki/OpenWrt>
A router based on that would get updates and is easy to configure and maintain.
<https://openwrt.org/toh/buyerguide> https://openwrt.org/toh/start
Ah, but that table doesn't "recommend" hardware, doesn't even say which are easy. I have seen some routers that require to solder new pins to create a serial port for access. When I saw that, I abandoned my attempt to flash the router and bought another one instead. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 2019-02-04 13:25, Carlos E. R. wrote:
Ah, but that table doesn't "recommend" hardware, doesn't even say which are easy. I have seen some routers that require to solder new pins to create a serial port for access. When I saw that, I abandoned my attempt to flash the router and bought another one instead.
The table isn't for recommendation. It's for what has been tested and to what extent it's working. Old but still running without problems in my two private locations are Netgear WNDR3700-2[1]. I've been using Openwrt since over 10 years back. Mostly a smooth experience. But you might want to have a look at the newer models. To figure out if it's worth the effort I think you have to dig into the forum a bit. I'd recommend Hardware Questions and Recommendations [2]. My colleague uses Netgear R7800 and is really happy with it. ref. [1] https://openwrt.org/toh/netgear/wndr3700 [2] https://forum.openwrt.org/c/hardware-questions-and-recommendations Cheers, -- /bengan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, 4 Feb 2019 13:25:20 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 04/02/2019 13.09, Knurpht-openSUSE wrote:
Op maandag 4 februari 2019 13:03:50 CET schreef Carlos E. R.:
On 04/02/2019 08.15, Per Jessen wrote:
Toshi Esumi wrote:
On 2/2/19 1:28 PM, Dave Howorth wrote: Hopefully I don't offend anyone, but buying a business class FW with an annual license is overkill and really only for IT managers. For protecting Dave's home network, a Raspi with openSUSE and iptables will suffice. Dave said he has ADSL, so no more than 100Mbit/s downlink which the Raspi (or similar) will easily handle. For comparison, think of what kind of CPU might be sat in the ADSL modem.
I wonder if there is some suitable hardware out there that can run openWrt software easily.
<https://en.wikipedia.org/wiki/OpenWrt>
A router based on that would get updates and is easy to configure and maintain.
<https://openwrt.org/toh/buyerguide> https://openwrt.org/toh/start
Ah, but that table doesn't "recommend" hardware, doesn't even say which are easy. I have seen some routers that require to solder new pins to create a serial port for access. When I saw that, I abandoned my attempt to flash the router and bought another one instead.
Indeed. Better to start at https://openwrt.org/ then follow the link to Supported Devices https://openwrt.org/supported_devices and then to I want to buy a router which is supported by OpenWrt https://openwrt.org/toh/views/toh_available_864 which is titled Table of Hardware: Ideal for OpenWrt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-02-02 11:35 p.m., Toshi Esumi wrote:
On 2/2/19 1:28 PM, Dave Howorth wrote:
Most of my home security depends on my ADSL router and especially on the NAT it provides.
Setting a proper FW at the entry point is the most effective way. That's why it's called a FireWall -- peaceful world inside of it whatever you have inside. My suggestion is:
1) find a proper FW that suits your need, satisfaction and budget, either a PC/server based (of course with two NICs:inside and outside) or a dedicated box/chassis based (always come with 2+ interfaces for both sides), and hopefully coming with a subscription to update virus/malware/etc. signature database as soon as possible. In other words, look for a business class FW targeted at home offices.
2) Put your vendor ADSL router/modem in modem/bridge mode, so that the FW in 1) behind the vendor modem can handle NAT/VIP and all other firewalling needs.
Of course many modern cane/fibre/pair routers are so sophisticated now, they include a firewall, packet filtering and more. And you don't need leading edge technology; I have five year old or more equipment that does that. And then there is always the DD-RT and the OpenWRT projects, and you'll have, at the very least, iptables capability. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/02/2019 18.34, Anton Aylward wrote:
On 2019-02-02 11:35 p.m., Toshi Esumi wrote:
On 2/2/19 1:28 PM, Dave Howorth wrote:
2) Put your vendor ADSL router/modem in modem/bridge mode, so that the FW in 1) behind the vendor modem can handle NAT/VIP and all other firewalling needs.
Of course many modern cane/fibre/pair routers are so sophisticated now, they include a firewall, packet filtering and more.
Me, I have to stay using the ISP provided router, I can not insert another one because then the TV would stop working. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 02/05/2019 06:13 AM, Carlos E. R. wrote:
Me, I have to stay using the ISP provided router, I can not insert another one because then the TV would stop working.
Can you not put the router portion in bridge mode? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/02/2019 12.48, James Knott wrote:
On 02/05/2019 06:13 AM, Carlos E. R. wrote:
Me, I have to stay using the ISP provided router, I can not insert another one because then the TV would stop working.
Can you not put the router portion in bridge mode?
I would have to replicate its functionality on the inner router, and that functionality is not documented. Question: does IGMP snooping traverse routers? The TV uses that. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 02/05/2019 08:17 AM, Carlos E. R. wrote:
Can you not put the router portion in bridge mode? I would have to replicate its functionality on the inner router, and that functionality is not documented.
Question: does IGMP snooping traverse routers? The TV uses that.
On the equipment supplied in Canada, TV and Internet have different connections on the terminal. Putting the router portion in bridge mode has no effect on TV. As for IGMP snooping, I haven't worked with it, but my understanding is that a switch uses it to determine which ports are listening to a multicast, instead of flooding all ports with it. Again, with TV on a different port on the terminal, that shouldn't be an issue. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tuesday, 5 February 2019 23:47:24 ACDT Carlos E. R. wrote:
On 05/02/2019 12.48, James Knott wrote:
On 02/05/2019 06:13 AM, Carlos E. R. wrote:
Me, I have to stay using the ISP provided router, I can not insert another one because then the TV would stop working.
Can you not put the router portion in bridge mode?
I would have to replicate its functionality on the inner router, and that functionality is not documented.
Question: does IGMP snooping traverse routers? The TV uses that.
No. IGMP traffic is not routed beyond the local subnet. Other protocols (PIM - Protocol-Independent Multicast - in Sparse Mode, Dense Mode or Sparse/Dense Mode, or SSM - Source Specific Multicast) are used for that. Multicast sources or receivers talk to the local router using IGMP - routers manage propagation and routing of multicast group traffic between networks or subnetworks using PIM. IGMP Snooping is a method for switches (L2 devices) to learn what ports have devices registered for multicast traffic on specific groups and limit the multicast traffic to those ports. Without IGMP snooping, multicast and broadcast traffic are treated the same way (flooded out all ports except the ingress port). (This will get way off-topic for the OP really quickly). -- ============================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au CCNA #CSCO12880208 ==============================================================
Dave Howorth wrote:
I've been thinking about security a bit. Most of my home security depends on my ADSL router and especially on the NAT it provides. Now I could try to harden every machine on my network, which I admit would be best practice, but (a) I'm lazy and (b) I've got little control over some of the devices on the network. So I've been wondering about putting another dedicated machine in between my router and my network to make it harder to penetrate. My router also provides my WAN, FWIW.
Is this at all sane?
That is how I've done it, for years and years.
Would openSUSE make a good basis for the machine?
Yup.
What software would I need to run on it? What hardware power would I need?
It's a router, you won't need much - a Raspi might well be sufficient :-) -- Per Jessen, Zürich (1.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 03 Feb 2019 13:27:00 +0100 Per Jessen <per@computer.org> wrote:
Dave Howorth wrote:
I've been thinking about security a bit. Most of my home security depends on my ADSL router and especially on the NAT it provides. Now I could try to harden every machine on my network, which I admit would be best practice, but (a) I'm lazy and (b) I've got little control over some of the devices on the network. So I've been wondering about putting another dedicated machine in between my router and my network to make it harder to penetrate. My router also provides my WAN, FWIW.
Is this at all sane?
That is how I've done it, for years and years.
Would openSUSE make a good basis for the machine?
Yup.
What software would I need to run on it? What hardware power would I need?
It's a router, you won't need much - a Raspi might well be sufficient :-)
Thanks for the confirmation, Per. I'll have a play. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday, 3 February 2019 7:58:35 ACDT Dave Howorth wrote:
I've been thinking about security a bit. Most of my home security depends on my ADSL router and especially on the NAT it provides. Now I could try to harden every machine on my network, which I admit would be best practice, but (a) I'm lazy and (b) I've got little control over some of the devices on the network. So I've been wondering about putting another dedicated machine in between my router and my network to make it harder to penetrate. My router also provides my WAN, FWIW.
Is this at all sane? Would openSUSE make a good basis for the machine? What software would I need to run on it? What hardware power would I need?
TIA, Dave
It certainly could be done using openSUSE, but that might be a little like using a sledgehammer to crack a walnut. My personal preference would be to use a dedicated firewall distro like pfSense or IPFire on a relatively low-cost machine with 2 ethernet ports. Both work well, both are relatively easy to configure. I've played with both as VM's on VirtualBox and both work well, but my personal preference is pfSense. I don't know enough about configuring the SUSE firewall via Yast. Iptables is used behind the scenes on most (if not all) of the dedicated firewall distros anyway, its just that they provide a nice, relatively easy-to-understand user interface for configuration, monitoring and management, but apart from that they probably don't do anything that you couldn't do yourself using openSUSE and Iptables, as long as you're prepared to get down'n'dirty with the configuration files and installing the appropriate packages to achieve what you want to achieve. Regards, Rodney. -- ============================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au CCNA #CSCO12880208 ==============================================================
participants (13)
-
Anton Aylward -
Bengt Gördén -
Bjoern Voigt -
Carlos E. R. -
Dave Howorth -
David T-G -
ellanios82 -
James Knott -
Knurpht-openSUSE -
Per Jessen -
Peter Suetterlin -
Rodney Baker -
Toshi Esumi