DSL setup questions... again.

I incorrectly posted this to c.s.firewalls, and got little useful response.
It belongs here, I think.
--------------------------------------------------------------------------------
I've asked questions about this a while back, but still not sure of details.

I've got ADSL from my ISP via Qwest to an Actiontec 1524 DSL modem. It is
connected to an ethernet switch, to which a Linux box and a M$ PC are also
connected. The Actiontec is the "gateway" with a permanent address on the
LAN side. It connects to the ISP using PPPoA and DHCP. Or so says the
Actiontec's web page.

It appears that as long as everything is up and running, the Actiontec sees
the ethernet switch as an active component, even when both computers are
powered down. At least it shows a regular blip on it's ethernet interface,
suggesting that there is activity, and the interface light remains on at
all times. When both computers were connected directly to the Actiontec,
the interface lights went out when the computers powered down.

Questions:

1) It would seem that neither computer has to worry about DHCP, as that is
settled between the DSL modem and the ISP. Effectively, then, the
computers are left with a permanent Internet address. Is this correct?

2) If so, then it would seem that as far as the computers are concerned,
they both access a fixed internet address, and that address is the LAN
address of the modem and not the assigned address on the ISP side. Is that
correct?

3) I've made a practice of having a terminal running tcpdump whenever the
box is up, and have seen no intrusive activity at all. In fact, except for
explicit activity with the time server, the mail server, the news server,
and whatever http server I'm doing business with, there is no more activity
now than when the DSL modem was not connected to the LAN. Given that the
modem is actually a NAT enabled bridge, does that suggest that it is doing
everything that needs to be done? I'm aware that this is commonly thought
not to be the case....

4) The PC is running Zone Alarm, just as it did when it was a dial-up, with
ZA now seeing the Internet via a gateway on the LAN rather than via a
dial-up account. Apparently there is no change in the extent of protection
offered. Or maybe we've just been lucky? I'm running Shorewall on the
Linux box, configured the same way, and have yet to see any untoward
activity. Not sure how well it's configured, but apparently it works.
Again, have we just been lucky?

5) The point of all this is that I'm generating a real firewall for my box,
with every issue addressed. I'm using Bob Ziegler's "Linux Firewalls" as
the prototype. I gather that he and his work are generally well regarded.
Is that the case in this venue as well?

6) And finally, if any of the resident experts are familiar with Ziegler's
book, I would appreciate the chance to post specific questions; and
probably enough of them to bore everyone stiff....LOL!!!! Is anyone
familiar with this stuff and willing to mentor me a bit, please?

Thanks all,

Bill Tallman
--
Registered Linux User: #221586
Mdk-9.0 and IceWM
Gkrellm still watches over me...

"William D. Tallman" <wtallman@olypen.com> said:
>I've got ADSL from my ISP via Qwest to an Actiontec 1524 DSL modem. It is
>connected to an ethernet switch, to which a Linux box and a M$ PC are also
>connected. The Actiontec is the "gateway" with a permanent address on the
>LAN side. It connects to the ISP using PPPoA and DHCP. Or so says the
>Actiontec's web page.

Ok.

>It appears that as long as everything is up and running, the Actiontec sees
>the ethernet switch as an active component, even when both computers are
>powered down.

Correct.

>At least it shows a regular blip on it's ethernet interface, suggesting
>that there is activity, and the interface light remains on at all
>times. When both computers were connected directly to the Actiontec,
>the interface lights went out when the computers powered down.

I'm not sure why there should be activity with the computers powered down.
But at ethernet level the link really is up as long as the switch is
powered up.

>Questions:
>
>1) It would seem that neither computer has to worry about DHCP, as that
>is settled between the DSL modem and the ISP. Effectively, then, the
>computers are left with a permanent Internet address. Is this correct?

Yes..no. The computers effectively don't have Internet addresses at all;
they only have _intranet_ addresses. Your modem apparently has an Internet
address it obtained by DHCP from your ISP.

But correct in that sense, that with that kind of set-up you can keep
consistent, non-changing addresses on your LAN.

>2) If so, then it would seem that as far as the computers are concerned,
>they both access a fixed internet address, and that address is the LAN
>address of the modem and not the assigned address on the ISP side. Is that
>correct?

Both computers access the Internet through a gateway having a fixed
address. Still, the "LAN address of the modem" apparently is not an Internet
address. Sorry to be anal over these, but trying to keep these straight
tends to at some point clarify things.

>3) I've made a practice of having a terminal running tcpdump whenever
>the box is up, and have seen no intrusive activity at all. In fact,
>except for explicit activity with the time server, the mail server, the
>news server, and whatever http server I'm doing business with, there is
>no more activity now than when the DSL modem was not connected to the
>LAN. Given that the modem is actually a NAT enabled bridge, does that
>suggest that it is doing everything that needs to be done? I'm aware
>that this is commonly thought not to be the case....

I'd say that can't NAT on a bridge. Sounds like a NATting router.

At network level everything now depends on the configuration of the modem:
have you assigned any ports to be forwarded to any of the LAN machines
for incoming traffic? So, f.ex. if someone connects to port 25 ("smtp",
common port for providing mail server service) of your modem from the
Internet, does the modem just drop/reject the traffic, or have you
configured it to forward those requests to one of your internal machines?

Basically, I'd expect that all traffic you see in your LAN is packets
originated by your machine, and response packets to these.

One thing you need to find out, though: is the configuration www service
that your modem provides available also to the Internet? If so, have you
set up a good enough password (or rather, find out whether there is any
way to restrict the configuration access to LAN only).

>4) The PC is running Zone Alarm, just as it did when it was a dial-up,
>with ZA now seeing the Internet via a gateway on the LAN rather than
>via a dial-up account. Apparently there is no change in the extent
>of protection offered. Or maybe we've just been lucky? I'm running
>Shorewall on the Linux box, configured the same way, and have yet to
>see any untoward activity. Not sure how well it's configured, but
>apparently it works. Again, have we just been lucky?

With just a dial-up, your PC apparently has been ompletely visible to
the Internet - whereas now what is seen externally is just the router,
and any outbound traffic generated by your machines. I consider the
difference in levels of protection a big one.

So, what is your current risk is that you end up requesting (directly or
indirectly) some traffic that is malicious and effective against your
applications (so, spyware on WWW; mail-based virii and so on).

What you need against these is:
- keeping your systems updated
- disabling unnecessary services
- on PC, running an antivirus software

What still might help in case of compromise:
- filtering outbound traffic (so limiting what can go out, to prevent
your machines from infecting others (for PC, ZA should be good tool
for this; for Linux, netfilter (iptables) can be effectively used -
however, you need to know what outbound traffic is needed for your
own use

>5) The point of all this is that I'm generating a real firewall for my box,
>with every issue addressed. I'm using Bob Ziegler's "Linux Firewalls" as
>the prototype. I gather that he and his work are generally well regarded.
>Is that the case in this venue as well?
>
>6) And finally, if any of the resident experts are familiar with Ziegler's
>book, I would appreciate the chance to post specific questions; and
>probably enough of them to bore everyone stiff....LOL!!!! Is anyone
>familiar with this stuff and willing to mentor me a bit, please?

Unfortunately I don't have experience with Zieglers books, so can't comment
on them.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Juha Laiho wrote:

<snip>

Thanks for the info and the heads ups. You confirmed my thinking on most
issues, and I appreciate your response!

Bill Tallman
--
Registered Linux User: #221586
Mdk-9.0 and IceWM
Gkrellm still watches over me...

On Sun, 01 Feb 2004 11:32:02 GMT, Juha Laiho hath writ:
> "William D. Tallman" <wtallman@olypen.com> said:
>>I've got ADSL from my ISP via Qwest to an Actiontec 1524 DSL modem. It is
>>connected to an ethernet switch, to which a Linux box and a M$ PC are also
>>connected. The Actiontec is the "gateway" with a permanent address on the
>>LAN side. It connects to the ISP using PPPoA and DHCP. Or so says the
>>Actiontec's web page.
>
> Ok.

I just finished an identical install here: Qwest, ADSL, Actiontec 1524.
System here: A Win XP, an OS/2 Warp, and this MDK 9.1 are plugged into
3 of the four switch ports on the back of the Actiontec.
(And, as close as I can read the doc's, it is a *switch*, not a hub.)
Then, a hub with a (seldom on) Win 95, and a (sometimes on) MDK 8.2 is
plugged into the 4th Actiontec switch port.

>>It appears that as long as everything is up and running, the Actiontec sees
>>the ethernet switch as an active component, even when both computers are
>>powered down.
>
> Correct.
>
>>At least it shows a regular blip on it's ethernet interface, suggesting
>>that there is activity, and the interface light remains on at all
>>times. When both computers were connected directly to the Actiontec,
>>the interface lights went out when the computers powered down.
>
> I'm not sure why there should be activity with the computers powered down.
> But at ethernet level the link really is up as long as the switch is
> powered up.

I see the Actiontec "polling"(?) the hub when none of the pc's
are turned on.

>>Questions:
>>
>>1) It would seem that neither computer has to worry about DHCP, as that
>>is settled between the DSL modem and the ISP. Effectively, then, the
>>computers are left with a permanent Internet address. Is this correct?
>
> Yes..no. The computers effectively don't have Internet addresses at all;
> they only have _intranet_ addresses. Your modem apparently has an Internet
> address it obtained by DHCP from your ISP.
>
> But correct in that sense, that with that kind of set-up you can keep
> consistent, non-changing addresses on your LAN.

On the "WAN" side the Actiontec does dhcp with the ISP.
My dsl service does not come with a static ip.
This is a "don't care" on the lan side
(unless you are running exposed-to-the-net servers.)
On the lan side I config'd the Actiontec for static lan ip's. The
Qwest doc's say to use dhcp on the lan side. Ignore that unless you
want A LOT of confusion on your lan. (I suppose it makes sense
for the average MS user that never had a NIC to start with...)
[The Actiontec has a dhcp _server_ for the lan side -- if you want.
We are talking two *different* dhcp's here -- one server in the
Actiontec for the lan boxes, and the ISP server for the Actiontec's
outside-world ip. http:// to the Actiontec and click on "status"
to see the ISP-assigned ip address.]

>>2) If so, then it would seem that as far as the computers are concerned,
>>they both access a fixed internet address, and that address is the LAN
>>address of the modem and not the assigned address on the ISP side. Is that
>>correct?
>
> Both computers access the Internet through a gateway having a fixed
> address. Still, the "LAN address of the modem" apparently is not an Internet
> address. Sorry to be anal over these, but trying to keep these straight
> tends to at some point clarify things.

The Actiontec comes by default as 192.168.0.1 (which was ok by
me -- as I retired the first lan box - a 486DX33 on 192.168.0.1 - a
year ago.) You can (re)config the Actiontec for any lan ip you wish.
Just set all your pc's "gateway"s to 192.168.01.
For easy browser access: add "192.168.0.1 DSL " to /etc/hosts

>>3) I've made a practice of having a terminal running tcpdump whenever
>>the box is up, and have seen no intrusive activity at all. In fact,
>>except for explicit activity with the time server, the mail server, the
>>news server, and whatever http server I'm doing business with, there is
>>no more activity now than when the DSL modem was not connected to the
>>LAN. Given that the modem is actually a NAT enabled bridge, does that
>>suggest that it is doing everything that needs to be done? I'm aware
>>that this is commonly thought not to be the case....
>
> I'd say that can't NAT on a bridge. Sounds like a NATting router.

Yep.

> At network level everything now depends on the configuration of the modem:
> have you assigned any ports to be forwarded to any of the LAN machines
> for incoming traffic? So, f.ex. if someone connects to port 25 ("smtp",
> common port for providing mail server service) of your modem from the
> Internet, does the modem just drop/reject the traffic, or have you
> configured it to forward those requests to one of your internal machines?
>
> Basically, I'd expect that all traffic you see in your LAN is packets
> originated by your machine, and response packets to these.
>
> One thing you need to find out, though: is the configuration www service
> that your modem provides available also to the Internet? If so, have you
> set up a good enough password (or rather, find out whether there is any
> way to restrict the configuration access to LAN only).

By default it is *not* web admin'able from the "wan" side.

There is a BIG pdf out there for the details of the
Actiontec. (There's also a small sales/marketing pdf, too.)
Google on "qwest actiontec 1524" and drill down to it.
(Hell, it just occurred to me that the pdf should be on the
CD in the box with the Actiontec that Qwest shipped to you.)

All-in-all, this Action 1524 is Real Slick. I had been
doing lots of web research on DSL installs, dual-nic setups,
yaa-daa, yaa-daa. I was aprehensive.
It now seems Actiontec was reading the same ng postings I
was and built a box to address all the then-existing hassles
and problems.

HTH,
Jonesy
--
| Marvin L Jones | jonz | W3DHJ | OS/2
| Gunnison, Colorado | @ | Jonesy | linux __
| 7,703' -- 2,345m | config.com | DM68mn SK

Allodoxaphobia wrote:

<snip>
> I see the Actiontec "polling"(?) the hub when none of the pc's
> are turned on.

There is something active to which it is responding. If there weren't, none
of the four lights on the right would be lit. Which light is on? On mine,
only one is used and that one is the connection to the ethernet switch,
which is active (lights always on). And it is that LAN connection light
that blinks, indicating a poll.

<snip>
> On the "WAN" side the Actiontec does dhcp with the ISP.
> My dsl service does not come with a static ip.

My service is connected directly to the ISP and is (apparently) managed by
the ISP, where Qwest only supplies the connectivity. So you've confirmed
by conclusion here.

> This is a "don't care" on the lan side
> (unless you are running exposed-to-the-net servers.)
> On the lan side I config'd the Actiontec for static lan ip's. The
> Qwest doc's say to use dhcp on the lan side. Ignore that unless you

Okay, my take on this is that the ActionTec will supply dynamic addresses
for boxes plugged directly into the modem. This would be useful if any of
these need an address to which port forwarding can be enabled.

> want A LOT of confusion on your lan. (I suppose it makes sense
> for the average MS user that never had a NIC to start with...)
> [The Actiontec has a dhcp _server_ for the lan side -- if you want.
> We are talking two *different* dhcp's here -- one server in the
> Actiontec for the lan boxes, and the ISP server for the Actiontec's
> outside-world ip. http:// to the Actiontec and click on "status"
> to see the ISP-assigned ip address.]
>
>>>2) If so, then it would seem that as far as the computers are concerned,
>>>they both access a fixed internet address, and that address is the LAN
>>>address of the modem and not the assigned address on the ISP side. Is
>>>that correct?
>>
>> Both computers access the Internet through a gateway having a fixed
>> address. Still, the "LAN address of the modem" apparently is not an
>> Internet address. Sorry to be anal over these, but trying to keep these
>> straight tends to at some point clarify things.
>
> The Actiontec comes by default as 192.168.0.1 (which was ok by
> me -- as I retired the first lan box - a 486DX33 on 192.168.0.1 - a
> year ago.) You can (re)config the Actiontec for any lan ip you wish.
> Just set all your pc's "gateway"s to 192.168.01.
> For easy browser access: add "192.168.0.1 DSL " to /etc/hosts

I'm running on my LAN as the internet gateway. Works just fine. Have one
Linux machine and one winders box.

<snip>
>> I'd say that can't NAT on a bridge. Sounds like a NATting router.
>
> Yep.

Configurable as a bridge, though.

<snip>
> All-in-all, this Action 1524 is Real Slick. I had been
> doing lots of web research on DSL installs, dual-nic setups,
> yaa-daa, yaa-daa. I was aprehensive.
> It now seems Actiontec was reading the same ng postings I
> was and built a box to address all the then-existing hassles
> and problems.

Yeah, I was prepared to go for a Cisco 678, but this ActionTec just sits
there and does it's thing without a hiccup.

I'm running it at default level, using firewalls on the computers. ZA on the
PC and Shorewall on the Linux box. So far, I've seen no evidence of
intrustion, though.

Bill Tallman

On Mon, 02 Feb 2004 23:43:59 -0800, William D. Tallman hath writ:
> Allodoxaphobia wrote:
>
><snip>
>> I see the Actiontec "polling"(?) the hub when none of the pc's
>> are turned on.
>
> There is something active to which it is responding. If there weren't, none
> of the four lights on the right would be lit. Which light is on? On mine,
> only one is used and that one is the connection to the ethernet switch,
> which is active (lights always on). And it is that LAN connection light
> that blinks, indicating a poll.

The hub -- it's always on -- because it could (have - before DSL)
been called upon to serve any of the PC's. It's an 8-port hub
(with 3 powered-off PC's on it), and I see the Actiontec polling
by its blinking lite and the blinking light on the hub.
About once every 10-15, secs or so.

(I wonder what embedded O/S is in the Actiontec.......)

><snip>
>> On the "WAN" side the Actiontec does dhcp with the ISP.
>> My dsl service does not come with a static ip.
>
> My service is connected directly to the ISP and is (apparently) managed by
> the ISP, where Qwest only supplies the connectivity. So you've confirmed
> by conclusion here.

Yep.

>> On the lan side I config'd the Actiontec for static lan ip's. The
>> Qwest doc's say to use dhcp on the lan side. Ignore that unless you
>
> Okay, my take on this is that the ActionTec will supply dynamic addresses
> for boxes plugged directly into the modem. This would be useful if any of
> these need an address to which port forwarding can be enabled.

It can do port forwarding. The set-up screen asks for an IP addy
for the port(s) to be forwarded. Dunno how that can be set up
*AND* use dhcp on the lan side.

><snip>
>> All-in-all, this Action 1524 is Real Slick. I had been
>> doing lots of web research on DSL installs, dual-nic setups,
>> yaa-daa, yaa-daa. I was aprehensive.
>> It now seems Actiontec was reading the same ng postings I
>> was and built a box to address all the then-existing hassles
>> and problems.
>
> Yeah, I was prepared to go for a Cisco 678, but this ActionTec
> just sits there and does it's thing without a hiccup.

Yes. I did a lot of pre-DSL research -- getting ready for the
day when Qwest quit merely promising service, and actually delivered
it. Back then, the Cisco 678 was The Box. I did a lot of head-
scratching to figure out how to slip the Cisco in to the set-up
here. It looked to be a teeth-gnashing, dual-NIC-in-one-of-the-boxes
necessity. When DSL actually showed up in the form of the
Actiontec 1524,, I had to do a "memory dump" of all my Cisco
knowledge, and re-research how to do it with the Actiontec. I
kept trying to make it harder than it was.

Jonesy
--
| Marvin L Jones | jonz | W3DHJ | OS/2
| Gunnison, Colorado | @ | Jonesy | linux __
| 7,703' -- 2,345m | config.com | DM68mn SK