[OpenWrt-Devel] Sysupgrade and Failed to kill all processes
Philip Prindeville
philipp_subx at redfish-solutions.com
Thu May 14 14:40:16 EDT 2020
> On May 14, 2020, at 8:23 AM, Michael Richardson <mcr at sandelman.ca> wrote:
>
> [snip]
>
> It depends a lot on the relative cost of sending a service person there to
> repair the device (push the button, reflash or replace the device), vs the
> risk of the box not operating at all.
>
> In the NAT44 home router situation, the lack of an iptables to do MASQ or
> port forwarding results in the "firewall" failing closed.
> No packets traverse, but the box might be accessible by network for repairs
> from one side or the other.
>
> In the IPv6 and routed IPv4 situation, if packet forwarding is enabled, then
> the box might continue to provide critical functionality, and it might be
> possible to repair it remotely.
>
> In the case where this isn't a router, but a NAS, or some other IoT device,
> then the lack of a firewall, if the device has multiple layers of security
> (no stupid default passwords, or no passwords at all) result in a lowered
> level of security, but not zero security.
>
> In general, I think that this decision needs to up-leveled to as a build
> option. There are many cases where I would agree: you want the box to die
> rather than potentially come up insecurely.
>
A while ago I posted an option to “bake in” a default root password but it was nixed.
https://github.com/openwrt/openwrt/pull/622
Too bad.
-Philip
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list