 Notice. New forum software under development. It's going to miss a few functions and look a bit ugly for a while, but I'm working on it full time now as the old forum was too unstable. Couple days, all good. If you notice any issues, please contact me. |
Forum Index : Microcontroller and PC projects : Gateway 0.0.0.0 question....
  Page 2 of 2 |
|||||
| Author | Message | ||||
Grogster Admin Group  Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
@ Jim: Okey dokey, I will try that and let you all know what happens. @ MB: Wow. There are A-LOT of inbound and outbound rules! I don't think I will tinker with them just yet. Not if I want a sane Christmas.  Smoke makes things work. When the smoke gets out, it stops! |
||||
CaptainBoing Guru  Joined: 07/09/2016 Location: United KingdomPosts: 2170 |
Oh yes!!! They harvest all those look ups and anyone who is serious about protection or privacy shouldn't really use them. This point is often overlooked... you might use privacy mode on your browser when you go to www.leatherjoyboys.com, but you still have to resolve that to an IP address... Dr. Google knows what you are doing!  Nothing private about DNS!There are two really good options. 1. Quad 9 2. OpenDNS Both offer some pre-filtering of domains with a bang-up-to-date list of nasties and won't resolve them. This way, if you have some little nasty running in secret (or even a dodgy link in a web page), unless it uses an IP address directly to get to its CnC server (and most don't because they are cloud offerings) it gets walled-up. A really nice service. As an aside; There has been a geeky outcry/snivelling over why Google et al don't do this too but info is money right? I have used both in my home office with zero issues and I will confess I still use Google (8.8.8.8 or 8.8.4.4) as my fall-back (third) DNS option. |
||||
| CaptainBoing Guru Joined: 07/09/2016 Location: United KingdomPosts: 2170 |
Not directly related but this might help gel things a bit: http://www.logitel.co.uk/myipwaffle.asp |
||||
Azure Guru Joined: 09/11/2017 Location: AustraliaPosts: 446 |
You should not need to disable your DHCP for normal security on your network. You control what goes in out and of your network through controlling ports. How your local device gets its IP address and settings (within your local network) via DCHP is not a highly vulnerable service and it does save a lot of manual configuring. As m8ndl mentioned, NAT is the software/firmware that usually does the port and IP address mapping and this function is normally part of the router/firewall service (not another new and separate service). Good idea to wait until after the silly season you don't want silly^2. John |
||||
| Phil23 Guru Joined: 27/03/2016 Location: AustraliaPosts: 1667 |
Interesting, I'd never been aware of the 0.0.0.0 address having special properties. The main instances where I've set it, sort of by default, is on hardware devices like printers & certain IP cameras that I don't need accessible from a WAN connection, AND see no reason why the device needs to know the IP address required to find it's way out onto the internet. Alternatively, what would be wrong with by either static settings in the device, or DHCP Reservation where the gateway IP is set to an unused IP where nothing is connected. Phil. |
||||
| Azure Guru Joined: 09/11/2017 Location: AustraliaPosts: 446 |
@Phil, The gateway address needs to be known to all internal devices that access the WAN it is the address that is used to provide the many to one relationship of multiple local LAN devices each with their own local IP address connecting to the WAN (through the Gateway) to one public IP address on the WAN side. It's address is always a free address (before it gets assigned), there should never be multiple devices on the LAN with the same address. To add to all this confusion there is the MAC address that is unique for each node on the network but is on many devise these days now able to be configured. |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
Thanks guys - this is very interesting stuff. I am NOT playing with any of this till after Christmas as has already been suggested, and I think that is the best suggestion of all for right now!  I DID put the details into my Puppy Server and rebooted that, but it still refused to talk to the Internet. That was me putting in the Gateway IP and the two DNS server IP's, but even after that, no Internet so I don't know what the hell is going on there as that should be working I would have thought. I do currently have the router DHCP IP pool setup so it only assigns IP's within 101 to 200(192.168.1.101-192.168.1.200). The router is on 100, and the servers are above 201 - this is so the router won't try to dish out IP's reserved for those things, and that setting seems to be working just fine - I will leave that alone too for now. One interesting thing - when I reversed the DNS IP's for the Puppy Server by just blanking them out along with the gateway IP, when rebooted, they are still there, so Puppy did not want to relinquish those settings once I had put them in, which I thought was odd. Having removed them and rebooted, they should be gone. Oh well - next year after the silly season, to paraphrase Azure for a moment..... Smoke makes things work. When the smoke gets out, it stops! |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
Excellent information. Thanks. Helped a lot.  Smoke makes things work. When the smoke gets out, it stops! |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
UPDATE: I can state at this point, that since disabling UPnP in the router, NONE of those odd IP addresses have ever appeared back on my Puppy Server box again. Can anyone help me understand HOW the UPnP thing is a security risk and can allow connections to the outside WAN so it would seem? Smoke makes things work. When the smoke gets out, it stops! |
||||
| Azure Guru Joined: 09/11/2017 Location: AustraliaPosts: 446 |
I have found that with only needed ports open and each one directed to a specific target IP and port internally that things run pretty well. I used to have UPnP disabled and do all configuration work manually. I have been using UPnP for a while now but I do not use the boxes default admin username and password. I have changed them and have a strong password to access the box. I use port redirection from WAN only on ports I need open. I have firewalls on server and internal machines. You can still change settings manually with UPnP on it just lets your UPnP aware devices on your network change settings automatically, as far as I know only when you are running configuration software (in my case anyway). One other thing worth doing is saving the config when it is in a working state and naming it something that reminds you of the config. That way if things go horribly wrong you should be able to fall back to load a known working configuration. |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
Cool, thanks. I will look into changing the password on the Puppy Linux box just for added security. Can I ask you and others in the know: SAMBA is the Linux application to allow networking to Windoze machines and Windoze networking - all that is fine. If you have several SAMBA shares enabled and working, does that mean that they are now accessible if you have port-forwarding enabled to that machine on the LAN? To clarify: You have a server on 192.168.1.50(as in my experiment in the other thread), with a port open to it to the WAN on 5000 - does that mean that EVERYTHING on 192.168.1.50 on port 5000 is accessible, or ONLY the likes of the ser2net that I have running now? I am just curious as to how global to a specific machine, a port and IP is. Smoke makes things work. When the smoke gets out, it stops! |
||||
| Azure Guru Joined: 09/11/2017 Location: AustraliaPosts: 446 |
A port is usually a specific service (application) on a machine. The answer is yes, but the only thing answering will be what is configured to listen on port 5000 on that machine. |
||||
| Grogster Admin Group Joined: 31/12/2012 Location: New ZealandPosts: 9610 |
Ahhhh, gotcha. So you are saying that if you have a machine talking to the WAN on a port(via the port-forwarding in the router), then it should ONLY contain that which you would ever want discoverable to the Internet, yes? The Pi I have in the other thread only serves as a go-between for the network and the MM, and has nothing else on it, but I just want to make sure I understand this correctly. No work at the moment cos of Christmas break, so I am able to suck in a whole lot of other information and stick it into long-term-memory! Smoke makes things work. When the smoke gets out, it stops! |
||||
| Azure Guru Joined: 09/11/2017 Location: AustraliaPosts: 446 |
Conceptually yes. Not sure how good the Pi is. The vulnerability would be if someone can crash the app running on that machine in a way to gain control of that device within you network. Pi is not my thing so not sure how good the Linux port on those is. IT is a bit of a stretch and unlikely but as always, 'caveat emptor' (buyer beware). |
||||
| JohnS Guru Joined: 18/11/2011 Location: United KingdomPosts: 4044 |
You have at most one thing listening (or can be spawned by the OS) on the port (5000) on that one (*) machine at 192.168.1.50. Anything that can get to 192.168.1.50 can try to open the port and will get whatever you've arranged (if anything) to handle the traffic. The remote can't access anything else on your LAN unless the thing that handles the port accesses it - or there's a bug. Things can't actually get to 192.168.1.50 from the internet unless you use the kind of port forwarding you've mentioned. (But things on your LAN could.) (The reason 192 would be unreachable is that sites do not forward it across the internet. Think of the chaos if they did...) (*) there's a way to allow multiple machines to appear as one IP address but you're not doing that and it's not a default. Big sites like IBM, M$, google and so on do this - you can imagine that a single machine just could not handle all their traffic. John |
||||
TassyJim Guru Joined: 07/08/2011 Location: AustraliaPosts: 6283 |
I have a program running on my PC that requires port forwarding to be set up. To make life easier for the producers of the program, they include a BAT file and small EXE program with the distribution. When they have a user who is not able to set port forwarding up on their router, they are asked to run the BAT file. Magic occurs and, thanks to UPnP, the required ports are forwarded. This could have easily been incorporated into the main program but the program authors are better than that. UPnP is there to do these things and make life easier for the unskilled but it can also be used for evil. If you are unfortunate enough to run a nasty program, it can setup the portforward and then snooze in the background waiting for it's evil master to send instructions. UPnP is like leaving the door key on a hook beside the door, inside but visible. I prefer to be told which ports are required and have full control of then. Jim VK7JH MMedit |
||||
| TassyJim Guru Joined: 07/08/2011 Location: AustraliaPosts: 6283 |
The Pi I use for the micromite which is accessed by all is on a separate internal network to my personal machines. This is not because I worry about ser2net, but because it was easier to have it in the network with other systems that ARE accessed by others and out of my full control. Jim VK7JH MMedit |
||||
| Page 2 of 2 |
|||||
 Print this page |
 |
The Back Shed's forum code is written, and hosted, in Australia. | © JAQ Software 2025 |
