On Tuesday, 1 March 2022 12:35:17 GMT Peter Humphrey wrote: > Hello list, > > I use net-firewall/shorewall to protect my machines; it's served me well for > many years. My ISP gave me a FritzBox modem-router recently, in the hope of > better media streaming, but it's spamming my LAN server with HTTP requests > (port 80). The other machines are left alone; just this one is affected. > > The many log entries are not a serious problem, just a nuisance, but I'd > rather not have to put up with them. > > AVM, the modem's maker, says I should set shorewall up on this machine to > accept either port-80 requests or unsolicited packets of type 0x88e1. That > type is HomePlug Management, apparently, and the FritzBox is looking for any > such devices on the LAN. I don't know why it's picked on this one machine > to query, unless it's because it has the lowest IP address. > > Questions: > 1. Will I be opening myself to external HTTP attacks if I open that port to > the modem-router? I assume I will, though no such service is running - at > the moment. > 2. As far as I can see, shorewall filters only on ports, not packet types. > If so, how can I specify a packet type to it? > 3. Does anyone here know how to specify HomePlug in shorewall? > > Google hasn't helped much, nor has the Shorewall website, so I hope someone > here has experience of this.
Have you seen this regarding the specific ethertypes: https://superuser.com/questions/1574757/unknown-ethertypes-0x88e1-and-0x8912-from-my-fritz-box Sadly I don't know anything about Shorewall, but you can look at configuring netfilter with some additional hand-crafted rules to drop the above ethertypes without logging them. However, what I would prefer to do in your circumstances is find if your router is supported by OpenWRT firmware and configure SQM with FQ-Codel in it to manage bufferbloat. I expect this should improve your streaming better than whatever AVM have configured in the box.
signature.asc
Description: This is a digitally signed message part.
