Home of the Squeezebox™ & Transporter® network music players.
Page 3 of 6 FirstFirst 12345 ... LastLast
Results 21 to 30 of 56
  1. #21
    Senior Member
    Join Date
    Jan 2011
    Location
    Staffordshire. UK
    Posts
    5,219
    Quote Originally Posted by gordonb3 View Post
    It's rarely language that causes miscommunication - it's the inability to explain jargon without using yet more jargon. This is what distinguishes teachers from people that like to brag about their high education.
    Paragraphs help too

    (couldn't resist )

    ronnie

  2. #22
    Senior Member
    Join Date
    Jan 2022
    Location
    Switzerland
    Posts
    146
    Quote Originally Posted by gordonb3 View Post
    Internet routers are actually not routers at all. I mean, they do route traffic from one IP segment to another but they also act as access points, providing IP addresses to machines that connect to the `private` side (either wifi or cable) and because the addresses they use on that `private` side are all from the same range of re-usable addresses and therefore are not unique they all include a firewalling method that is known as masquerading. What this means is that the internet router changes every request from machines on the LAN to appear as if it was sent by the router. This is really very powerful because the router itself usually does not provide any services itself (note: some of the more complex ones my offer a web based GUI that is only accessible from the LAN and some ISPs may have included a backdoor that allows them to reprogram your router) and unless you specifically instruct it to forward a specific service to some machine within your LAN it has no clue where to send it and thus will bounce it. In other words, given that you state to be unable to make any changes to your router's configuration, if someone on the outside is controlling one or more of your machines then he is using a connection that YOU initiated - this commonly happens by allowing some program to be run from your web browser or email program.
    Thanks gordonb3,

    To summarize and if I understand correctly:

    rasberry itself is not a "danger". There is much more risk with the computers connected on the network.

    The point of entry would be the computers ((through an unfortunate download) and not Pcp/LMS.

    Am I right ?

  3. #23
    Senior Member
    Join Date
    Feb 2011
    Location
    Cheshire, UK
    Posts
    6,613
    Quote Originally Posted by PaulH View Post
    Thanks gordonb3,

    To summarize and if I understand correctly:

    rasberry itself is not a "danger". There is much more risk with the computers connected on the network.

    The point of entry would be the computers ((through an unfortunate download) and not Pcp/LMS.

    Am I right ?
    Yes that is pretty much correct.
    Although it isn’t normally the computers themselves that create the risk it’s actually the users doing something that they shouldn’t albeit perhaps unknowingly. That’s why at minimum you should run some kind of AntiVirus software on a PC.

    Assuming you are using pCP/LMS on the Pi all that does when you play internet radio is send a request to an external server to access the stream. Because the request is “solicited” your router accepts the return packet and sends it on to the Pi. If the packet coming from the internet was “unsolicited” it would get rejected.

    Gordon refers to the process as IP masquerading but if you want to Google to understand better then I suggest start with NAT or “Network Address Translation”. This is the basis of all routers whose job is to connect a private network to the public internet. Such routers are often referred to as “home routers” and always include a firewall of some description.

    There is another sort of router which has the job of connecting parts of the public internet to other parts. Some of these sit on the ISPs network, others sit on the peer network that connects say DE to GB and others sit in Data Centre’s. These do not generally do any masquerading or form of NATing and their job is literally to route packets correctly to the next router on the way (a hop).
    Jim
    https://jukeradio.double6.net


    VB2.4 storage QNAP TS419p (NFS)
    Living Room Joggler & Pi4/Khadas -> Onkyo TXNR686 -> Celestion F20s
    Office Joggler & Pi3 -> Denon RCD N8 -> Celestion F10s
    Dining Room SB Radio
    Bedroom (Bedside) Pi Zero+DAC ->ToppingTP21 ->AKG Headphones
    Bedroom (TV) & Bathroom SB Touch ->Denon AVR ->Mordaunt Short M10s + Kef ceiling speakers
    Guest Room Joggler > Topping Amp -> Wharfedale Modus Cubes

  4. #24
    Senior Member
    Join Date
    Nov 2012
    Location
    Southern California
    Posts
    374
    Quote Originally Posted by sodface View Post
    I mean PaulH doesn't specify, but generally speaking, there may be some situations where you don't have control of a network that you use which is also shared with people you don't necessarily "trust". Maybe a dorm or some other kind of shared living arrangement where it's a big flat internal network. Maybe they aren't malicious insiders but maybe you don't want them dicking with your LMS either.

    In which case, I'd probably try to setup my own router that connects to the shared wifi and hide everything behind that.

    //edit, OP says he's using wired lan so my scenario and solution probably doesn't apply... but who knows
    I work in an office building that provides internet service via wireless and ethernet. The building manager is using the router that the ISP provided. There is no internet security between the tenants. I plugged my own router into the ethernet connection, and then all of my devices (computer, SB Radios, printer) connect to my own router. My understanding this will help block people on building's internet from accessing my own personal network.

    Some of the tenants have been telemarketers and I don't trust some of the people they hire.

    I run a similar approach at home. I connect all the unsecured internet of things (dryer, roomba, roku, etc) to the first router connected to my ISP. My second router is connected to the first router, and all my personal stuff connects to the second router.

    If I understand correctly, to get to my computer someone would have to get past both routers and their internal firewall (NAT).

    This was really easy to install. I just have to remember which stuff is connect to which network (router). The complexity is setting up internet of things because my phone needs to be able to communicate to the device, so I need to temporarily connect to the higher-level network and turn off isolation on the guest wireless network.

  5. #25
    Quote Originally Posted by PaulH View Post
    Thanks gordonb3,

    To summarize and if I understand correctly:

    rasberry itself is not a "danger". There is much more risk with the computers connected on the network.

    The point of entry would be the computers ((through an unfortunate download) and not Pcp/LMS.

    Am I right ?
    I'd say Yes and No.

    The Pi is unlikely to be *directly* attacked by distant attackers, but defending resources means more than just stopping the initial attack, it also means trying to deny the attackers "lateral movement" (spreading from one device** to another) and "persistence" (keeping their code running somewhere). I expect pCP presents a medium risk to the network as a lateral target and spot for persistence. Good news is it exposes relatively few "services" (has relatively little software "listening" for new, unexpected connections), so it's better than some end-of-life network printer running gobs of print daemon and management software. Bad news is that AFAIK it doesn't have mechanisms for automated security updates, nor deep coroporate pockets to ensure quick response to new security concerns, so it's not as safe as a Pi running Ubuntu with unattended-upgrades configured to automatically install security updates & reboot as needed. Plus the Pi is relatively powerful and easy to add software to -- an attacker could much more easily load and hide malware on a pCP running Tiny Core Linux than, say, on a Squeezebox Classic which doesn't run a normal "computer" OS, and has little in the way of RAM & CPU reources.

    Is it possible to allow only one IP computer to connect it ?
    Yes, as others have mentioned, with packet filter/firewall rules on the device. In modern Linux that means "iptables" which you should be able to install as an "extension" to pCP and its Tiny Core Linux base. (pCP web UI main page > Additional functions > Extensions). I'd suggest posting a new thread here asking for advice on how to to that in pCP. Here's the basic recipe I've used in the past on "normal" Linux systems (along with a default DROP policy and some more rules to allow myself remote access, e.g. to SSH on tcp:22)

    Code:
    slim_full_nets="10.2.3.4/32 10.2.3.5/32"
    for port in 9090 9000 3483; do
      for slim_net in $slim_full_nets; do
        /usr/sbin/iptables -A INPUT -p tcp --dport $port -s $slim_net -j ACCEPT
      done
    done
    for port in 3483; do
      for slim_net in $slim_full_nets; do
        /usr/sbin/iptables -A INPUT -p udp --dport $port -s $slim_net -j ACCEPT
      done
    done
    That's with an old-school approach of only DROPing unexpected connections on the INPUT table. It's a good idea, when you can, to also make the OUTPUT policy DROP and add rules allowing what's needed (like LMS -> player on UDP:3483, and TCP replies to :9000 and :9090).

    For pCP you'd add those rules to something like /opt/bootlocal.sh

    Firewall pro tip: it's really easy to lock yoursellf out w/ firewall changes. I like to configure some way to automatically revert the rules or drop the firewall after a number of minutes so that if I really goof things I know I can just wait a few minutes. On full systems the "at" command is great for this. Use 'at' to schedule reverting, make the change, test, and if all is still ok, use "atrm" to cancel the reversion.

    On pCP I think I'd
    - write all my rules into a new file that pCP would *not* automatically execute
    - SSH in and execute that script & test (if your rules allow SSH from somewherem be sure to verify you can get another SSH connection; don't assume that your existing connection staying alive means new connections will be allowed)
    - if all seems well, edit /opt/bootlocal.sh to call your script,

    ** I say "device" deliberately; in theory anything on the network, from a $10 light bulb to a $1000 laptop, is a risk.
    owner of the stuff at https://tuxreborn.netlify.app/
    (which used to reside at www. tux.org/~peterw/)
    Note: The best way to reach me is email or PM, as I don't spend much time on the forums.
    Free plugins: AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial
    FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher
    SettingsManager SleepFade StatusFirst SyncOptions VolumeLock

  6. #26
    Quick note: the tinycore iptables extension that pCP ships includes the iptables-save utility, so a simpler approach should be possible:
    - SSH in
    - set up an automatic clean reboot in case things go wrong:
    (sleep 600 & sudo reboot now) &
    - execute iptables commands with sudo to add the rules you want
    - test
    - if all is well, kill the background sleep+reboot command with kill %1 and then execute sudo iptables-save and pcp bu to make sure the rules are saved
    owner of the stuff at https://tuxreborn.netlify.app/
    (which used to reside at www. tux.org/~peterw/)
    Note: The best way to reach me is email or PM, as I don't spend much time on the forums.
    Free plugins: AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial
    FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher
    SettingsManager SleepFade StatusFirst SyncOptions VolumeLock

  7. #27
    Senior Member
    Join Date
    Jul 2008
    Posts
    379
    Quote Originally Posted by P Nelson View Post
    I work in an office building that provides internet service via wireless and ethernet. The building manager is using the router that the ISP provided. There is no internet security between the tenants. I plugged my own router into the ethernet connection, and then all of my devices (computer, SB Radios, printer) connect to my own router. My understanding this will help block people on building's internet from accessing my own personal network.

    Some of the tenants have been telemarketers and I don't trust some of the people they hire.

    I run a similar approach at home. I connect all the unsecured internet of things (dryer, roomba, roku, etc) to the first router connected to my ISP. My second router is connected to the first router, and all my personal stuff connects to the second router.

    If I understand correctly, to get to my computer someone would have to get past both routers and their internal firewall (NAT).

    This was really easy to install. I just have to remember which stuff is connect to which network (router). The complexity is setting up internet of things because my phone needs to be able to communicate to the device, so I need to temporarily connect to the higher-level network and turn off isolation on the guest wireless network.
    Great examples and I would agree with your assessment that someone would have to "get past both routers". In the latter IoT example, you sort of have those devices in a DMZ but if you don't allow inbound connections to any of them through router #1 then it's probably not technically a DMZ, but same sort of idea.

    In both instances I guess you are double NAT'ing (for lack of a better term). I do a similar thing when I'm in a campground using the free wifi (if available). I'm in the habit of using 10.0.x.x for my internal LANs mostly because it's shorter to type but now I'm wondering if you used the typical 192.168.0.0/24 or 192.168.1.0/24 on the internal network side of your router and the provider network (office building, campground, etc) used the same IP space, your router WAN port would get a DHCP address in the same range as your internal network, right?? Seems like that could cause some weird issues.
    Last edited by sodface; 2022-02-27 at 09:53.

  8. #28
    Senior Member
    Join Date
    Feb 2011
    Location
    Cheshire, UK
    Posts
    6,613
    Quote Originally Posted by sodface View Post
    Great examples and I would agree with your assessment that someone would have to "get past both routers". In the latter IoT example, you sort of have those devices in a DMZ but if you don't allow inbound connections to any of them through router #1 then it's probably not technically a DMZ, but same sort of idea.

    In both instances I guess you are double NAT'ing (for lack of a better term). I do a similar thing when I'm in a campground using the free wifi (if available). I'm in the habit of using 10.0.x.x for my internal LANs mostly because it's shorter to type but now I'm wondering if you used the typical 192.168.0.0/24 or 192.168.1.0/24 on the internal network side of your router and the provider network (office building, campground, etc) used the same IP space, your router WAN port would get a DHCP address in the same range as your internal network, right?? Seems like that could cause some weird issues.
    It would cause issues. In the same vein if your internal network was 193.168.1.0 and you needed a VPN connection to your office which was also 192.168.1.0 then it wouldn’t necessarily work. In such circs one of the subnets need to change. That said no IT admin worth his salt would ever choose 192.168.1.0 or similar at the work end. More likely they would choose a random number up to 254 in the third octet e.g. 192.168.222.0 or if it was a large network 10.0.x.x
    Jim
    https://jukeradio.double6.net


    VB2.4 storage QNAP TS419p (NFS)
    Living Room Joggler & Pi4/Khadas -> Onkyo TXNR686 -> Celestion F20s
    Office Joggler & Pi3 -> Denon RCD N8 -> Celestion F10s
    Dining Room SB Radio
    Bedroom (Bedside) Pi Zero+DAC ->ToppingTP21 ->AKG Headphones
    Bedroom (TV) & Bathroom SB Touch ->Denon AVR ->Mordaunt Short M10s + Kef ceiling speakers
    Guest Room Joggler > Topping Amp -> Wharfedale Modus Cubes

  9. #29
    Senior Member
    Join Date
    Nov 2012
    Location
    Southern California
    Posts
    374
    Quote Originally Posted by sodface View Post
    Great examples and I would agree with your assessment that someone would have to "get past both routers". In the latter IoT example, you sort of have those devices in a DMZ but if you don't allow inbound connections to any of them through router #1 then it's probably not technically a DMZ, but same sort of idea.

    In both instances I guess you are double NAT'ing (for lack of a better term). I do a similar thing when I'm in a campground using the free wifi (if available). I'm in the habit of using 10.0.x.x for my internal LANs mostly because it's shorter to type but now I'm wondering if you used the typical 192.168.0.0/24 or 192.168.1.0/24 on the internal network side of your router and the provider network (office building, campground, etc) used the same IP space, your router WAN port would get a DHCP address in the same range as your internal network, right?? Seems like that could cause some weird issues.
    I also bring my own travel router for camping and hotels. It is great because I don't have to mess with passwords for our phones and tablets, I just need to set up one device. Also it adds additional security as the security level is unknown at public wifi.

    The TP-lilink travel routers appear to figure out the ip addresses so there is no conflict. I first connect to the travel router's SSID, then go to tplinkwifi,net to set it up for the public Wifi. It will then reboot itself as its IP might change, however, I just need to remember use tplinkwifi.net for any set-up, as opposed to using the ip address.

    I think most brand name routers' software figure out avoiding IP conflicts.

    Paul

  10. #30
    Senior Member
    Join Date
    Dec 2020
    Posts
    273
    Quote Originally Posted by sodface View Post
    ..., your router WAN port would get a DHCP address in the same range as your internal network, right?? Seems like that could cause some weird issues.
    Nothing weird, it simply won't work because the router will send all traffic meant for that specific IP range out on the first network device that is listed as an access for that IP range. The result is that everything that is connected to the second network device can talk to the router but will never receive a reply.

    As for double NAT'ting, I prefer to use the word masquerading, this is really not an issue because no individual network can see what is behind the mask or even if there is a mask. It is the purpose of the router to track whom the mask belongs to and forward responses to the corresponding user which may be a real user or yet another masquerader. And of course on the other end it is fairly unlikely that you are talking directly to the server that is hosting whatever you are accessing, so double NAT'ting is more of a rule than an exception.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •