[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

Aaron Z aaronz at pls-net.org
Wed Jul 16 15:58:47 EDT 2014

Sorry for the earlier email, apparently I accidentally hit "send" rather than "save"...

----- Original Message -----
On Wednesday, July 16, 2014 2:10:53 PM "Gui Iribarren" <gui at altermundi.net> wrote:
> Benjamin is giving some great examples of real-world scenarios where
> an
> default-open firewall simplifies administration,
> and where a default-closed firewall would be not only unnecessary
> (provides no benefits), but would indeed complicate setting up
> things.
On the other hand, how many devices realistically need to be accessible from the outside by default in a typical setting (ie: in a home/small office)? On a network you have several classes of devices:
1. Devices that frequently need to run an server or peer to peer connection that requires outside access (ie: servers, some computers VOIP phones, etc)
2. Devices which might need to be accessible from the outside in a few cases, but generally speaking have no need to be accessible from the outside (ie: most computers, media players, phones, tablets, gaming consoles, etc)
3. Devices which have no need to be accessible from the outside except in special circumstances and in fact could be a security risk if exposed to the outside world (ie: NAS, network printer, security camera, security system, phone system, etc)

On 16/07/14 12:09, Gert Doering wrote:
> This actually is a somewhat moot arguments.  Devices travel today, and
> while your home network and office network might be behind a firewall,
> the hotspot you're using while waiting for your train might not be.
That I think is the point. The "open everything above port 1024" model is a good idea for some systems (ie: hotspots, hotel networks, etc) but in the typical home or office setting, the great majority of the devices have no need to be accessible from the outside and in fact, making them available from the outside creates a security risk if there is any kind of security flaw on the device.

IMO, it comes down to trust:
Do you trust that the people who made your NAS, blueray player, etc will release patches when exploits are found 3 years down the road? I don't.
Do you trust that the people who made the firmware for your networked camera didn't leave any back doors in it to be found down the road (ie: a hardcoded root password, poor security on the webpage, etc)? I don't.
Do you trust that Microsoft didn't miss any bugs in the Windows 7 firewall and that none of the software on the computer is leaving a port open? I certainly don't.
I would venture to guess that 95% (or more) of the people who install OpenWRT are quite capable of opening ports in a firewall.

Perhaps a solution would be to do the following:
1. Have a global setting for the firewall that has three options:
1a. Default open from port 0 on up
1b. Default open from port 1024 on up
1c. Default closed

2. Add/change LUCI interface for opening ports. Add a hyperlink or button next to the list of computers on the network that allows setting the following options (for each computer) in the OpenWRT firewall:
2a. Default to open from port 0 on up
2b. Default open from port 1024 on up
2c. Open port X (or service X) for this computer

Factory default could be 1c for the time being (to be consistent with the current IPv4 settings) and it could be re-evaluated down the road as things change.

My $0.02.

Aaron Z
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list