Home of the Squeezebox™ & Transporter® network music players.
Page 2 of 6 FirstFirst 1234 ... LastLast
Results 11 to 20 of 56
  1. #11
    Senior Member
    Join Date
    Dec 2020
    Posts
    320
    Quote Originally Posted by PaulH View Post
    No external FW


    Yes, avoid unwanted external access on my internal network.

    Maybe the Pi with Pcp and LMS is only slightly vulnerable ???
    Okay. If you have an internal network that implies that you have a (masquerading) router that allows you access to the internet. I'll give it a 99% chance that you are using an internal address range reading 192.168.x.x, just like 99% of the other home users and the address 192.168.0.1 probably exists more than 1 million times which means that it is impossible to access (or reply to) any specific machine with that address from any random location on the internet, except within that same local network or as a response to the masquerading firewall. In theory IPV6 changes this, but just like IPV4 the extended protocol lacks autodiscovery and thus if your router would even be bidirectional then a perpetrator would have to know both your external address and your internal address range to set up his own routing rules because no public system will provide these routes.

    In other words, if someone on the outside would be able to gain access to your LMS then you will have a much bigger problem because all your Windows machines will have been compromised already.

  2. #12
    Senior Member
    Join Date
    Feb 2011
    Location
    Cheshire, UK
    Posts
    6,734
    Quote Originally Posted by gordonb3 View Post
    Okay. If you have an internal network that implies that you have a (masquerading) router that allows you access to the internet. I'll give it a 99% chance that you are using an internal address range reading 192.168.x.x, just like 99% of the other home users and the address 192.168.0.1 probably exists more than 1 million times which means that it is impossible to access (or reply to) any specific machine with that address from any random location on the internet, except within that same local network or as a response to the masquerading firewall. In theory IPV6 changes this, but just like IPV4 the extended protocol lacks autodiscovery and thus if your router would even be bidirectional then a perpetrator would have to know both your external address and your internal address range to set up his own routing rules because no public system will provide these routes.

    In other words, if someone on the outside would be able to gain access to your LMS then you will have a much bigger problem because all your Windows machines will have been compromised already.
    I suggest 1 million is a very significant underestimate!
    I think this is a case of “a little knowledge…..”
    Jim
    https://jukeradio.double6.net


    VB2.4 storage QNAP TS419p (NFS)
    Living Room Joggler & Pi4/Khadas -> Onkyo TXNR686 -> Celestion F20s
    Office Joggler & Pi3 -> Denon RCD N8 -> Celestion F10s
    Dining Room SB Radio
    Bedroom (Bedside) Pi Zero+DAC ->ToppingTP21 ->AKG Headphones
    Bedroom (TV) & Bathroom SB Touch ->Denon AVR ->Mordaunt Short M10s + Kef ceiling speakers
    Guest Room Joggler > Topping Amp -> Wharfedale Modus Cubes

  3. #13
    Senior Member
    Join Date
    Jul 2008
    Posts
    440
    I mean PaulH doesn't specify, but generally speaking, there may be some situations where you don't have control of a network that you use which is also shared with people you don't necessarily "trust". Maybe a dorm or some other kind of shared living arrangement where it's a big flat internal network. Maybe they aren't malicious insiders but maybe you don't want them dicking with your LMS either.

    In which case, I'd probably try to setup my own router that connects to the shared wifi and hide everything behind that.

    //edit, OP says he's using wired lan so my scenario and solution probably doesn't apply... but who knows
    Last edited by sodface; 2022-02-25 at 15:14.

  4. #14
    Senior Member
    Join Date
    Jan 2022
    Location
    Switzerland
    Posts
    146
    Quote Originally Posted by sodface View Post
    //edit, OP says he's using wired lan so my scenario and solution probably doesn't apply... but who knows
    Indeed it's not the case !

  5. #15
    Senior Member
    Join Date
    Jan 2022
    Location
    Switzerland
    Posts
    146
    Quote Originally Posted by slartibartfast View Post
    Are you sure you have no external firewall? Modem/Routers normally have them built in.
    I found some information and indeed, the router of the internet provider has a firewall. However it is preconfigured (how??) and we can not make any changes.
    I think it must be a general rule.
    It's probably better than nothing!

  6. #16
    Senior Member
    Join Date
    Jan 2022
    Location
    Switzerland
    Posts
    146
    Quote Originally Posted by gordonb3 View Post
    In other words, if someone on the outside would be able to gain access to your LMS then you will have a much bigger problem because all your Windows machines will have been compromised already.
    Thank you for this very precise answer!

    In fact I would like to prevent the Raspberry from being used as a gateway to access my other machines.

    But reading you it would be rather the opposite!

  7. #17
    Senior Member
    Join Date
    Dec 2020
    Posts
    320
    Quote Originally Posted by PaulH View Post
    I found some information and indeed, the router of the internet provider has a firewall. However it is preconfigured (how??) and we can not make any changes.
    I think it must be a general rule.
    It's probably better than nothing!
    Internet routers are actually not routers at all. I mean, they do route traffic from one IP segment to another but they also act as access points, providing IP addresses to machines that connect to the `private` side (either wifi or cable) and because the addresses they use on that `private` side are all from the same range of re-usable addresses and therefore are not unique they all include a firewalling method that is known as masquerading. What this means is that the internet router changes every request from machines on the LAN to appear as if it was sent by the router. This is really very powerful because the router itself usually does not provide any services itself (note: some of the more complex ones my offer a web based GUI that is only accessible from the LAN and some ISPs may have included a backdoor that allows them to reprogram your router) and unless you specifically instruct it to forward a specific service to some machine within your LAN it has no clue where to send it and thus will bounce it. In other words, given that you state to be unable to make any changes to your router's configuration, if someone on the outside is controlling one or more of your machines then he is using a connection that YOU initiated - this commonly happens by allowing some program to be run from your web browser or email program.
    Last edited by gordonb3; 2022-02-27 at 01:53.

  8. #18
    Senior Member
    Join Date
    Dec 2020
    Posts
    320
    Quote Originally Posted by d6jg View Post
    I suggest 1 million is a very significant underestimate!
    I think this is a case of “a little knowledge…..”
    Jim, nobody cares whether it is 1 million, 10 million or 100 million. The point is that it is not unique and you should really try to work on your temper.

  9. #19
    Senior Member
    Join Date
    Feb 2011
    Location
    Cheshire, UK
    Posts
    6,734
    Quote Originally Posted by gordonb3 View Post
    Jim, nobody cares whether it is 1 million, 10 million or 100 million. The point is that it is not unique and you should really try to work on your temper.
    You’ve misunderstood.
    I’m not in the slightest bit angry.
    Instead I fear that the OP has a fundamental misunderstanding of networking but since his first language clearly isn’t English I’m not going to be able to help him by explaining.
    Jim
    https://jukeradio.double6.net


    VB2.4 storage QNAP TS419p (NFS)
    Living Room Joggler & Pi4/Khadas -> Onkyo TXNR686 -> Celestion F20s
    Office Joggler & Pi3 -> Denon RCD N8 -> Celestion F10s
    Dining Room SB Radio
    Bedroom (Bedside) Pi Zero+DAC ->ToppingTP21 ->AKG Headphones
    Bedroom (TV) & Bathroom SB Touch ->Denon AVR ->Mordaunt Short M10s + Kef ceiling speakers
    Guest Room Joggler > Topping Amp -> Wharfedale Modus Cubes

  10. #20
    Senior Member
    Join Date
    Dec 2020
    Posts
    320
    Quote Originally Posted by d6jg View Post
    Instead I fear that the OP has a fundamental misunderstanding of networking but since his first language clearly isn’t English I’m not going to be able to help him by explaining.
    It's rarely language that causes miscommunication - it's the inability to explain jargon without using yet more jargon. This is what distinguishes teachers from people that like to brag about their high education.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •