[mythtv] Proposed change to Network Communications
stuarta at squashedfrog.net
Fri Mar 10 16:24:28 UTC 2017
On 10/03/17 15:40, Derek Atkins wrote:
> OUCH! NO...
> Some of us actually have public IP addresses on our network!!
So the same applies to ipv4 as it does to ipv6.
Accept connections from subnets the backend has interfaces in.
> Peter Bennett <pgbennett at comcast.net> writes:
>> On 03/08/2017 11:46 AM, Gary Buhrmaster wrote:
>> Do not get me wrong, I think IPv6 is the now, and
>> IPv4 is legacy/dead. But the myth protocol has been
>> regularly stated by the MythTV elders as not being
>> public Internet ready, and only with stateful protection
>> (or someone who knows how to configure firewall rules)
>> should one consider running the device on the public
>> Internet. Changing the defaults to run IPv6 publicly
>> will require stepping up the other parts of the protocol
>> (one mitigation short of authentication might be to set
>> the TTL for the myth protocol to something like 3,
>> (just like DTCP-IP), which is more or less "in the
>> residence" for 98% of the users).
>> Thinking about this some more, I came up with an addition to the previous
>> Keep the "Listen on all ip addresses" checkbox that I proposed.
>> Whether or not "Listen on all ip addresses" is checked, check the sender of
>> all incoming connections. If the sender is a public IP address, simply ignore
>> the connection.
>> Provide a checkbox labeled "NOT RECOMMENDED - Allow connections from the
>> Internet". Default this to unchecked. When this is unchecked, only provide
>> private ip addresses from the below list in the drop down boxes for IP
>> address. When it is checked, provide all ip addresses in the drop down and
>> bypass the sender ip address check.
>> The following IP addresses are the private ip addresses that would be allowed.
>> Everything else would be rejected.
>> 192.168.0.0 - 192.168.255.255
>> 172.16.0.0 - 172.31.255.255
>> 10.0.0.0 - 10.255.255.255
>> 127.0.0.1 (local loop-back)
>> 169.254.0.0 - 169.254.255.255 (link-local)
>> ::1 (local loop-back)
>> fe80::/10 (link-local)
>> fc00::/7 (unique local)
>> For UDP - just ignore messages from ip addresses not on the list. As far as I
>> can see, UDP is only used for one purpose in MythTV. In the frontend it is
>> used for Airplay, where audio data is received and played. If you are playing
>> some sound, somebody on the internet could send you some audio data if they
>> spoof the sending address. The backend does not bind UDP so nothing could be
>> sent to it via UDP.
>> mythtv-dev mailing list
>> mythtv-dev at mythtv.org
>> MythTV Forums: https://forum.mythtv.org
More information about the mythtv-dev