From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 48C171389FE for ; Fri, 31 Oct 2014 11:16:22 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 53620E08EF; Fri, 31 Oct 2014 11:16:15 +0000 (UTC) Received: from smtpq6.tb.mail.iss.as9143.net (smtpq6.tb.mail.iss.as9143.net [212.54.42.169]) by pigeon.gentoo.org (Postfix) with ESMTP id F1008E08DA for ; Fri, 31 Oct 2014 11:16:13 +0000 (UTC) Received: from [212.54.42.135] (helo=smtp4.tb.mail.iss.as9143.net) by smtpq6.tb.mail.iss.as9143.net with esmtp (Exim 4.76) (envelope-from ) id 1XkABh-0001KF-5h for gentoo-user@lists.gentoo.org; Fri, 31 Oct 2014 12:16:13 +0100 Received: from 53579160.cm-6-8c.dynamic.ziggo.nl ([83.87.145.96] helo=data.antarean.org) by smtp4.tb.mail.iss.as9143.net with esmtp (Exim 4.76) (envelope-from ) id 1XkABg-0001hU-Ar for gentoo-user@lists.gentoo.org; Fri, 31 Oct 2014 12:16:13 +0100 Received: from andromeda.localnet (unknown [10.20.13.200]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by data.antarean.org (Postfix) with ESMTPSA id 76F3B4B for ; Fri, 31 Oct 2014 12:15:30 +0100 (CET) From: "J. Roeleveld" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Strange behaviour of dhcpcd Date: Fri, 31 Oct 2014 12:16:04 +0100 Message-ID: <11792074.PlbkFKk2Y8@andromeda> Organization: Antarean User-Agent: KMail/4.12.5 (Linux/3.16.5-gentoo; KDE/4.12.5; x86_64; ; ) In-Reply-To: <20141031114750.19783056@marcec.fritz.box> References: <20141028004458.16d1bbbc@marcec.fritz.box> <1639884.UKlFl08jV7@andromeda> <20141031114750.19783056@marcec.fritz.box> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Ziggo-spambar: ---- X-Ziggo-spamscore: -4.8 X-Ziggo-spamreport: ALL_TRUSTED=-1,BAYES_00=-1.9,PROLO_TRUST_RDNS=-3,RDNS_DYNAMIC=0.982,TW_WR=0.077 X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No X-Archives-Salt: 63f56680-a1cd-41b0-8868-7e25cd4f5d5f X-Archives-Hash: 84104dc4f25b51956bc74f917c6aa692 On Friday, October 31, 2014 11:47:50 AM Marc Joliet wrote: > Am Fri, 31 Oct 2014 07:52:54 +0100 > > schrieb "J. Roeleveld" : > > On Tuesday, October 28, 2014 07:31:56 PM Marc Joliet wrote: > [...] > > > > Oh, and there are two powerline/dLAN adapters in between (the modem is > > > in > > > > > > the room next door), but direct connections between my computer and my > > > brother's always worked, and they've been reliable in general, so I > > > assume > > > that they're irrelevant here. > > > > Uh-oh... If you have multiple machines that can ask for a DHCP-lease, you > > might keep getting a different result each time it tries to refresh. > > How so? You mean if the modem is directly connected to the powerline > adapter? I would be surprised if this were a problem in general, since > AFAIU they're ultimately just bridges as far as the network is concerned, > not to mention that they explicitly target home networks with multiple > devices. Actually, a HUB is a better comparison. All the powerline adapters all connect to the same network. Some you can set to a network-ID (think vlan) to limit this. The one time I played with one, I ended up seeing my neighbours NAS. > But in the end, it doesn't matter, since it's just for my desktop (which > doesn't have WLAN built-in); all other clients connect via WLAN. > > FWIW, I chose poewrline because it seemed like a better (and driverless!) > alternative to getting a WLAN USB-stick (or PCI(e) card), and so far I'm > quite happy with it. If you can ensure that only 2 devices communicate, it's a valid replacement for a dedicated network cable. (If you accept the reduction in line-speed) > > > Furthermore, I found out the hard way that you *sometimes* need to > > > reboot > > > > > > the modem when connect a different client for the new client to get a > > > response from the DHCP server (I discovered this after wasting half a > > > day > > > trying to get our router to work, it would log timeouts during > > > DHCPDISCOVER). I didn't think it was the modem because when we first > > > got > > > it, I could switch cables around between my computer and my brother's > > > and > > > they would get their IP addresses without trouble. *sigh* > > > > That's a common flaw. These modems are designed with the idea that people > > only have 1 computer. Or at the very least put a router between the modem > > and whatever else they have. > > Please note, there is NO firewall on these modems and your machine is > > fully > > exposed to the internet. Unless you have your machine secured and all > > unused services disabled, you might as well assume your machine > > compromised. > Yes, I wasn't explicitly aware of this, but it makes sense, since AFAIU the > modem's job boils down to carrying the signal over the cable network and > (on a higher level) dialing in to the ISP and forwarding packets. I would > not really expect a firewall there. There isn't, usually. > > I once connected a fresh install directly to the modem. Only took 20 > > seconds to get owned. (This was about 9 years ago and Bind was running) > > Ouch. I was, to be honest, expecting it to be owned. (Just not this quick). It was done on purpose to see how long it would take. I pulled the network cable when the root-kit was being installed. Was interesting to see. > I just hope the Fritz!Box firewall is configured correctly, especially since > there doesn't appear to be a UI for it. Well, OK, there is, but it's not > very informative in that it doesn't tell me what rules (other than manually > entered ones) are currently in effect; all it explicitly says is that it > blocks NetBIOS packets. The only other thing that's bothered me about the > router is the factory default (directly after flashing the firmware) of > activating WPA2 *and* WPA (why?!). I turned off WPA as soon as I noticed. It will have NAT enabled, which blocks most incoming packets. As long as the router isn't owned, you should be ok. > Out of curiosity, I looked through the exported configuration file (looks > like JSON), and found entries that look like firewall rules, but don't > really know how they apply. It's less the rules themselves, though, than > the context, i.e., the rules are under "pppoefw" and "dslifaces", even > though the router uses neither PPPoE nor DSL (perhaps a sign that AVM's > software grows just as organically as everybody else's ;-) ). The one thing > I'm most curious about is what "lowinput", "highoutput", etc. mean, as > Google only found me other people asking the same question. Not familiar with those routers. Maybe someone with more knowledge can have a look at the config and shed some light. I would do a find/replace on the username and password you use to ensure that is masked before sending it to someone to investigate. > Anyway, it *looks* like it blocks everything from the internet by default > (except for "output-related" and "input-related", which I interpret to mean > responses to outgoing packets and... whatever "input-related" means), and > the manual seems to agree by implying that the firewall is for explicitly > opening ports. Also, I used the Heise "Netzwerk Check" and it reports no > problems, so I'm mostly relieved. Yes, that's a common setting. > > > - At the time there was no router, just the modem. We now have a > > > Fritz!Box > > > > > > 3270 with the most recent firmware, but we got it after I "solved" > > > this > > > problem. > > > > > > - I don't know whether we have an IP block or not; I suspect not. At > > > the > > > very least, we didn't make special arrangements to try and get one. > > > > Then assume not. Most, if not all, ISPs charge extra for this. (If they > > even offer it) > > That's what I thought :) . > > Anyway, I think that I'll contact the dhcpcd maintainer (Roy Marples) > directly and ask for his opinion. Oki, keep us updated. -- Joost