[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

Benjamin Cama benoar at dolka.fr
Thu Jul 17 13:33:09 EDT 2014


Le mercredi 16 juillet 2014 à 15:58 -0400, Aaron Z a écrit :
> IMO, it comes down to trust:
> Do you trust that the people who made your NAS, blueray player, etc
> will release patches when exploits are found 3 years down the road? I
> don't.
> Do you trust that the people who made the firmware for your networked
> camera didn't leave any back doors in it to be found down the road
> (ie: a hardcoded root password, poor security on the webpage, etc)? I
> don't.
> Do you trust that Microsoft didn't miss any bugs in the Windows 7
> firewall and that none of the software on the computer is leaving a
> port open? I certainly don't.

OK, you prefer to have everything firewalled by default, but what about
most people, that will be affected by default settings? (they don't know
how to change it and never will touch it; they may even not be allowed
if they are not on their “own” network, if that even means something to
them) They don't have choice: they _have_ to trust their device/OS. They
have no other choice.

So the choice is on the manufacturer: either you secure your device and
people will trust you, or you build shitty rootable stuff and people
will try not to buy your stuff (you see, they may even not have the
choice to have trust…). But asking them “patch” the security of their
device by mean of some other “magical” device (a firewhat?) is not an
option.

> I would venture to guess that 95% (or more) of the people who install
> OpenWRT are quite capable of opening ports in a firewall.

Yes. But try imagining the impact on the other persons. Now try
imagining that this policy is implemented on 90% of home routers.

> ======================
> Perhaps a solution would be to do the following:
> 1. Have a global setting for the firewall that has three options:
> 1a. Default open from port 0 on up
> 1b. Default open from port 1024 on up
> 1c. Default closed
> 
> 2. Add/change LUCI interface for opening ports. Add a hyperlink or
> button next to the list of computers on the network that allows
> setting the following options (for each computer) in the OpenWRT
> firewall:
> 2a. Default to open from port 0 on up
> 2b. Default open from port 1024 on up
> 2c. Open port X (or service X) for this computer

Yes, this kind of UI would be nice.

> Factory default could be 1c for the time being (to be consistent with
> the current IPv4 settings) and it could be re-evaluated down the road
> as things change.

“Down the road” being never, as what sets the “standard” is what is
installed in the standard base. Now is time, as this release comes as
“IPv6 fully enabled”.

--
benjamin
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list