Re: [gentoo-user] Strange behaviour of dhcpcd

["J. Roeleveld" <joost@antarean.org>]

On Friday, October 31, 2014 11:47:50 AM Marc Joliet wrote:
> Am Fri, 31 Oct 2014 07:52:54 +0100
> 
> schrieb "J. Roeleveld" <joost@antarean.org>:
> > On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote:
> [...]
> 
> > >   Oh, and there are two powerline/dLAN adapters in between (the modem is
> > >   in
> > > 
> > > the room next door), but direct connections between my computer and my
> > > brother's always worked, and they've been reliable in general, so I
> > > assume
> > > that they're irrelevant here.
> > 
> > Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you
> > might keep getting a different result each time it tries to refresh.
> 
> How so?  You mean if the modem is directly connected to the powerline
> adapter? I would be surprised if this were a problem in general, since
> AFAIU they're ultimately just bridges as far as the network is concerned,
> not to mention that they explicitly target home networks with multiple
> devices.

Actually, a HUB is a better comparison.
All the powerline adapters all connect to the same network. Some you can set 
to a network-ID (think vlan) to limit this.

The one time I played with one, I ended up seeing my neighbours NAS.

> But in the end, it doesn't matter, since it's just for my desktop (which
> doesn't have WLAN built-in); all other clients connect via WLAN.
> 
> FWIW, I chose poewrline because it seemed like a better (and driverless!)
> alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm
> quite happy with it.

If you can ensure that only 2 devices communicate, it's a valid replacement 
for a dedicated network cable. (If you accept the reduction in line-speed)

> > >   Furthermore, I found out the hard way that you *sometimes* need to
> > >   reboot
> > > 
> > > the modem when connect a different client for the new client to get a
> > > response from the DHCP server (I discovered this after wasting half a
> > > day
> > > trying to get our router to work, it would log timeouts during
> > > DHCPDISCOVER).  I didn't think it was the modem because when we first
> > > got
> > > it, I could switch cables around between my computer and my brother's
> > > and
> > > they would get their IP addresses without trouble.  *sigh*
> > 
> > That's a common flaw. These modems are designed with the idea that people
> > only have 1 computer. Or at the very least put a router between the modem
> > and whatever else they have.
> > Please note, there is NO firewall on these modems and your machine is
> > fully
> > exposed to the internet. Unless you have your machine secured and all
> > unused services disabled, you might as well assume your machine
> > compromised.
> Yes, I wasn't explicitly aware of this, but it makes sense, since AFAIU the
> modem's job boils down to carrying the signal over the cable network and
> (on a higher level) dialing in to the ISP and forwarding packets.  I would
> not really expect a firewall there.

There isn't, usually.

> > I once connected a fresh install directly to the modem. Only took 20
> > seconds to get owned. (This was about 9 years ago and Bind was running)
> 
> Ouch.

I was, to be honest, expecting it to be owned. (Just not this quick).
It was done on purpose to see how long it would take. I pulled the network 
cable when the root-kit was being installed. Was interesting to see.

> I just hope the Fritz!Box firewall is configured correctly, especially since
> there doesn't appear to be a UI for it.  Well, OK, there is, but it's not
> very informative in that it doesn't tell me what rules (other than manually
> entered ones) are currently in effect; all it explicitly says is that it
> blocks NetBIOS packets.  The only other thing that's bothered me about the
> router is the factory default (directly after flashing the firmware) of
> activating WPA2 *and* WPA (why?!).  I turned off WPA as soon as I noticed.

It will have NAT enabled, which blocks most incoming packets. As long as the 
router isn't owned, you should be ok.

> Out of curiosity, I looked through the exported configuration file (looks
> like JSON), and found entries that look like firewall rules, but don't
> really know how they apply.  It's less the rules themselves, though, than
> the context, i.e., the rules are under "pppoefw" and "dslifaces", even
> though the router uses neither PPPoE nor DSL (perhaps a sign that AVM's
> software grows just as organically as everybody else's ;-) ). The one thing
> I'm most curious about is what "lowinput", "highoutput", etc. mean, as
> Google only found me other people asking the same question.

Not familiar with those routers. Maybe someone with more knowledge can have a 
look at the config and shed some light. I would do a find/replace on the 
username and password you use to ensure that is masked before sending it to 
someone to investigate.

> Anyway, it *looks* like it blocks everything from the internet by default
> (except for "output-related" and "input-related", which I interpret to mean
> responses to outgoing packets and... whatever "input-related" means), and
> the manual seems to agree by implying that the firewall is for explicitly
> opening ports. Also, I used the Heise "Netzwerk Check" and it reports no
> problems, so I'm mostly relieved.

Yes, that's a common setting.

> > > - At the time there was no router, just the modem.  We now have a
> > > Fritz!Box
> > > 
> > >   3270 with the most recent firmware, but we got it after I "solved"
> > >   this
> > >   problem.
> > > 
> > > - I don't know whether we have an IP block or not; I suspect not.  At
> > > the
> > > very least, we didn't make special arrangements to try and get one.
> > 
> > Then assume not. Most, if not all, ISPs charge extra for this. (If they
> > even offer it)
> 
> That's what I thought :) .
> 
> Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples)
> directly and ask for his opinion.

Oki, keep us updated.

--
Joost