[mythtv] Proposed change to Network Communications

Stuart Auchterlonie stuarta at squashedfrog.net
Fri Mar 10 16:24:28 UTC 2017 

On 10/03/17 15:40, Derek Atkins wrote:
> OUCH!   NO...
> 
> Some of us actually have public IP addresses on our network!!
> 

So the same applies to ipv4 as it does to ipv6.

Accept connections from subnets the backend has interfaces in.


Regards
Stuart


> -derek
> 
> Peter Bennett <pgbennett at comcast.net> writes:
> 
>> On 03/08/2017 11:46 AM, Gary Buhrmaster wrote:
>>
>>     Do not get me wrong, I think IPv6 is the now, and
>>     IPv4 is legacy/dead.  But the myth protocol has been
>>     regularly stated by the MythTV elders as not being
>>     public Internet ready, and only with stateful protection
>>     (or someone who knows how to configure firewall rules)
>>     should one consider running the device on the public
>>     Internet.  Changing the defaults to run IPv6 publicly
>>     will require stepping up the other parts of the protocol
>>     (one mitigation short of authentication might be to set
>>     the TTL for the myth protocol to something like 3,
>>     (just like DTCP-IP), which is more or less "in the
>>     residence" for 98% of the users).
>>     
>> Thinking about this some more, I came up with an addition to the previous
>> proposal.
>>
>> Keep the "Listen on all ip addresses" checkbox that I proposed.
>>
>> Whether or not "Listen on all ip addresses" is checked, check the sender of
>> all incoming connections. If the sender is a public IP address, simply ignore
>> the connection.
>>
>> Provide a checkbox labeled "NOT RECOMMENDED - Allow connections from the
>> Internet". Default this to unchecked. When this is unchecked, only provide
>> private ip addresses from the below list in the drop down boxes for IP
>> address. When it is checked, provide all ip addresses in the drop down and
>> bypass the sender ip address check.
>>
>> The following IP addresses are the private ip addresses that would be allowed.
>> Everything else would be rejected.
>>
>> 192.168.0.0 - 192.168.255.255
>> 172.16.0.0 - 172.31.255.255
>> 10.0.0.0 - 10.255.255.255
>> 127.0.0.1 (local loop-back)
>> 169.254.0.0 - 169.254.255.255 (link-local)
>> ::1 (local loop-back)
>> fe80::/10 (link-local)
>> fc00::/7 (unique local)
>>
>> For UDP - just ignore messages from ip addresses not on the list. As far as I
>> can see, UDP is only used for one purpose in MythTV. In the frontend it is
>> used for Airplay, where audio data is received and played. If you are playing
>> some sound, somebody on the internet could send you some audio data if they
>> spoof the sending address. The backend does not bind UDP so nothing could be
>> sent to it via UDP.
>>
>> Peter
>>
>> _______________________________________________
>> mythtv-dev mailing list
>> mythtv-dev at mythtv.org
>> http://lists.mythtv.org/mailman/listinfo/mythtv-dev
>> http://wiki.mythtv.org/Mailing_List_etiquette
>> MythTV Forums: https://forum.mythtv.org
>

More information about the mythtv-dev mailing list