[mythtv] Proposed change to Network Communications

Mark Perkins perkins1724 at hotmail.com
Sat Mar 11 05:02:20 UTC 2017 

On 11 March 2017 12:58:04 PM Stephen Worthington <stephen_agent at jsw.gen.nz> 
wrote:

> On Fri, 10 Mar 2017 22:32:25 +0000, you wrote:
>
>>On 11 March 2017 3:37:55 AM <mythtv at phipps-hutton.freeserve.co.uk> wrote:
>>
>>>
>>> Quoting Peter Bennett <pgbennett at comcast.net>:
>>>
>>>> Yep - I realized when I bought a new router that supports IPV6 and
>>>> connected it to Comcast. All of a sudden the entire world can ssh
>>>> into my PC via IPV6 and there is nothing I can set in the router to
>>>> prevent it. On the other hand, I have had certain IPV4 ports open
>>>> for years anyway so I can access my systems when away from home.
>>>>
>>>
>>> I don't mean to sound snarky but maybe you should have bought a router
>>> that includes a firewall.
>>>
>>> Cheers,
>>> Tim.
>>>
>>>
>>>
>>I don't want to sound snarky either it's a genuine question, but why get a
>>router with firewall? I'm not ipv6 yet but I am trying to get there - one
>>of my fundamental design parameters I have been working to on my network is
>>that every device handles it's own firewalling.
>>
>>Im still trying to get my head around why ISP's are implementing IPv6
>>firewalls and how that can work in practice.
>>
>>Is the theory that everything is some sort of UPnP equivalent capable?
>>
>>My current IPv4 ISP provider doesn't even do a full firewall, they block
>>SMTP port 25 and a couple of others with an opt in / out option but that is it.
>>
>>I thought it was simple - once you went IPv6 you were world accessible so
>>your individual devices better be ready. If your device can't handle Ipv6
>>world access then only option is to put it behind an IPv6 to IPv4 gateway
>>and NAT pseudo protection. Is this wrong?
>
> Yes, that is all wrong.
>
> Your ISP does not do firewalling for you.  Some block certain ports
> such as 25 to prevent problems happening to THEM, not to you.  If one
> of their customers has their SMTP server misconfigured on port 25 to
> allow open relaying of emails, within a few hours it will be in use
> for sending millions of spam emails.  Shortly after that, the spam
> blocker sites will notice this and will start blocking the IP address,
> usually by blocking the entire IP address range it is part of.  That
> means that other innocent customers of the same ISP will have their
> emails blocked, and if the ISP's main email servers are on the same
> address range, all the emails from them will be blocked too.  This
> causes your ISP huge problems, so some block port 25 to prevent this,
> and just unblock it on request by a customer who needs to use it.  But
> this blocking is not a firewall - all the packets on all the other
> unblocked ports will be delivered to your network, and unless it has a
> firewall that prevents it, those packets will be delivered to your
> network.
>
> It is up to you to have a firewall on your network to prevent bad
> things from happening to your devices.  With IPv4, having to use NAT
> to provide you with addresses for your network provides a good basic
> firewall, as an otherwise unconfigured NAT router blocks all incoming
> packets that are not as response to outgoing packets.  That is
> sufficient firewalling for most simple home users.  You can then add
> rules to a NAT firewall to allow in traffic on some specific ports and
> send it to specific IPv4 addresses on your network, if you need that.
> Or you can add other rules to block specific ports or addresses or
> other more complicated things.  But simply having NAT between your
> network and the outside world provides a very great deal of
> protection.
>
> With IPv6, you are not using NAT and do not have that same basic
> firewalling unless your router has firewall rules to do it, and for
> some strange reason, almost all the routers I have seen that do IPv6
> do not have such rules in their factory default config.  So all
> incoming packets (including those not as a response to outgoing
> packets) are allowed through to all the devices on your network, which
> would then need to do their own security.  This is bad - there are
> lots of problems with various devices and software that allow hackers
> to do bad things, such as installing ransmomware on your Windows PCs
> or making your TV spy on you with its microphone.  The same buggy or
> broken software on your devices that allows hackers to attack them
> will likely in an IPv6 enabled situation just be sitting there
> completely open to attack.  And some software is very vulnerable
> simply by the way it works.  The classic example with MythTV is
> MythWeb, which would allow a malicious person with access to delete
> all your recordings and recording rules, for example.  And there are
> scans that are used for finding open devices and ports that will do
> bad things to MythWeb by just scanning it, without any malicious
> intent.
>
> The rules for an IPv6 firewall that works similarly to what using NAT
> on IPv4 does are quite simple.  On my Linux based Ubiquiti Edgerouter
> Lite, you need three rules.  Here they are:
>
> set firewall ipv6-name RB-Outside-Local-v6 rule 100 action accept
> set firewall ipv6-name RB-Outside-Local-v6 rule 100 state established
> enable
> set firewall ipv6-name RB-Outside-Local-v6 rule 100 state related
> enable
> set firewall ipv6-name RB-Outside-Local-v6 rule 200 action drop
> set firewall ipv6-name RB-Outside-Local-v6 rule 200 state invalid
> enable
> set firewall ipv6-name RB-Outside-Local-v6 rule 300 action accept
> set firewall ipv6-name RB-Outside-Local-v6 rule 300 protocol icmpv6
>
> The 100 rule allows entry of packets for established connections,
> where the router has an entry in its tables showing an outgoing
> connection has been made.  Also allowed are any packets related to
> that connection.  The 200 rule drops all incoming packets that are
> malformed or invalid.  The 300 rule allows in ICMPv6 packets.  There
> are a number of ICMPv6 packets that have to be received for IPv6 to
> work.  The firewall needs to also be set to in the mode where it drops
> all packets that do not match any rule.  Those three rules are
> directly translated into rules in the underlying standard Linux
> firewall software, and can be used on any modern Linux system to do
> the necessary IPv6 firewalling.
>
> Instead of having one firewall on your router, you can have protection
> on each individual device, if you can do that.  But there are many
> devices that you can not put a firewall on and do not have any
> protection, such as TVs or WiFi controlled light bulbs, so normally it
> is simply not possible to protect everything individually.  And it is
> a huge amount of work to use individual firewalls on each device,
> rather than one firewall on your router.


I interpreted (misinterpreted?) the earlier reference to "operator provided 
gateways" as being the ISP rather than the CPE router they provide.  
Assuming I misinterpreted - there appears to be disagreement as to whether 
they default as on or default as off, which in my opinion is very 
significant as to whether MythTV should default to bind all or bind local 
only. Otherwise your post matches my understanding. Though possibly worth 
pointing out that a router firewall only works on attacks from outside the 
customers network. Firewalls on each device has the added benefit of 
*potentially* protecting from attacks within the customer network like a 
compromised machine gone rogue.

More information about the mythtv-dev mailing list