Auteur: Simon Datum: Aan: Devuan ML Onderwerp: Re: [DNG] What are you using for a firewall/router
onefang <onefang_devuan@???> wrote:
>>>
>>> I'm in the same position, using Shorewall and soon to be considering
>>> nftables based alternatives. "Just use plain nftables" is on the table.
>>
>> Indeed, with a bit of thought and learning it’s possible to do it at that level. But, for the benefit of those who haven’t worked with Shorewall, that abstracts things in such a way that you can do complicated things in a much nicer way - without abstracting to the point where features start becoming impossible to use.
>
> Well I am your typical graybeard, and I'm really good at learning complex
> computer technology. I'll learn a programming language in an hour, so
> I'll have no problem with learning raw nftables. But yes, a nice easier
> to use system, and still able to deal with complex things, would be
> great. Non graphical so I can switch my servers to it as well.
I sort of fit that description, but I think it’s part of my autistic wiring that I do take a bit longer - and these days it seems to be taking longer still. Also, there’s also the issue of whatever time I spend learning X is time I don’t have for A, B , C, D, ..., Z
> Three things worry me about what I suspect are additions by tp-link.
> There's some sort of ISP management system built in, but I think that's
> coz they sell this same model to ISPs.
That’ll probably br TR069 or similar. My ISP router has it, and no it can’t be turned off :-(
On the upside, it means the ISP can make any changes they need to keep up with other stuff they might be doing. The downside is that they can make changes. For most people, and the ISPs, it means “open box, plug in ‘blank’ router, wait, ..., router now configured and service active”.
Not long ago I went looking in the router logs (we’d had an internet outage), and I spotted what looks like periodic config updates, typically in the early hours (2am wish), where it reports in the TR069 log an event with "Event code(s): '4 VALUE CHANGE’”, and then the WAN connection drops and re-establishes.
> There's a place to add some sort
> of tp-link account, no idea what that does, I never set one up.
AVM have something like that with Fritxbox. The router can periodically send stats to the hub and you can view it online. Doesn’t seem all that useful.
> Worst of all, some pages in the built in configuration system will check
> a DNS lookup of what looks like a Microsoft domain. Those pages will do
> that automatically to test if the connection is up. Yesterday the
> Internet was failing outside of the ISPs CNAT. My router could get an
> IP, but nothing beyond that would respond. Yet that test DNS lookup
> would work and the router declared that the Internet was working.
> Traceroutes begged to differ. Unless the DNS resolver their CNAT told me
> to use was inside the CNAT system, but still it failed at "Internet is
> up", it wasn't. Not to mention I'd love to NOT have it checking with
> Microsoft, but there's no way to tell it to use some other domain.
That sucks. But then over the years I’ve seen all sorts of “interesting” design ideas - from Netgear routers that don’t understand the existence of other than /24 networks (wouldn’t allow n.n.n.0 or n.n.n.255 as a valid IP address), routers where the DHCP doesn’t work if you change the RFC-1989 subnet to anything but 192.168.1.0/24, and my favourite bad guy - Zyxel who had a NAT system where they systematically changed the port number for each new connection, thus breaking anything needing to probe the NAT and work out what external port it’s been mapped to (breaks SIP nicely), but apparently that “is secure and we don’t care if it means things don’t work because security trumps actually working” (not their words, but the just).