Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cable Modem Hack - Cable Haunt pfSense rule?

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 9 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chpalmerC
      chpalmer
      last edited by

      awebster How do you think these devices are designed? every cable modem Ive ever used answered to 192.168.100.1 every on of our DSL modems when we had them were non router models and answered to 192.168.0.1 While you might be of the opinion that those addresses should be blocked it is actually expected behavior that they pass out the WAN.

      NAT brings absolutely no security to those who know what they are doing. Thus it should never be used in the same sentence IMHO.

      TAC57 If you have one of the modems on the list (which really isn't very long from what Ive seen) then yes you could put a rule blocking access on your LAN and DMZ interfaces with 192.168.100.1:8080 as the destination.

      My broadcom based modem is not on any list Ive seen and has the spectrum analyzer page turned off by my ISP anyways so Im not concerned here.

      Triggering snowflakes one by one..
      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        Generally speaking, the modem will have a non-routable IP until such time as it has acquired a public IP from the Cable network infrastructure, which then becomes the primary IP. The non-routable IP continues to be accessible after this.
        This is a source of much confusion / issues when pfSense accidentally gets a non-routable IP from the modem instead of the expected public IP when it requests a DHCP address.

        –A.

        1 Reply Last reply Reply Quote 0
        • chpalmerC
          chpalmer
          last edited by chpalmer

          I think you misunderstand.. My cable modem is a simple bridge. It has no router capability nor does it accept my WAN IP for me. My router (pfsense) asks my ISP DHCP server for the address through the bridge (modem). The modem does ask for a "maintenance" address from the ISP.. So my modem GUI will have actually two addresses. Both RFC 1918. One for me (192.168.100.1 built in) and one for the ISP (10.20.x.x in my area given to it via DHCP) (Comcast uses IPv6 addresses as maintenance addresses) If one was to block my network from passing all RFC 1918 addresses out the WAN then we would not be able to access our cable modem GUI. Any bridge only modem or modem put into bridge mode works this way.

          As it is I can see every maintenance address in my node. (my neighbors modems)

          Every router I have ever used passes RFC 1918 out the WAN as long as it outside of my LAN subnets. I would not want it otherwise.

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • awebsterA
            awebster
            last edited by

            In fact, we are talking about the same thing, only in your case Comcast gave you a private IP instead of a public IP (shame on them), consequently, filtering RFC1918 outbound doesn't work so well.
            Every setup I do, if the WAN side has a public IP, has an RFC1918 outbound filter to prevent data leakage, so implicitly protects the cable modem, however, if you can view your neighbor's cable modems that is a problem, presumably they can see yours. The Cablehaunt vuln is only supposed to be exposed on the ethernet port.

            –A.

            chpalmerC JKnottJ 2 Replies Last reply Reply Quote 0
            • chpalmerC
              chpalmer @awebster
              last edited by

              @awebster

              No.. I am not a Comcast customer.. I only mentioned them because they hand out IPv6 maintenance addresses.

              My ISP hands out the modem maintenance address in the 10.20.x.x range.

              The maintenance address does not get me internet access. It only allows the ISP to access my modem for their use reboot modem look at signals ect. My modem does not care what my public IP address is nor is does it interfere with that process. It is only a bridge.

              Why would any ISP want to use public IP space to maintain modems on their system?

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @awebster
                last edited by

                @awebster said in Cable Modem Hack - Cable Haunt pfSense rule?:

                Comcast gave you a private IP instead of a public IP (shame on them), consequently, filtering RFC1918 outbound doesn't work so well.

                Comcast is moving everyone to IPv6 and providing only carrier grade NAT for IPv4.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                dotdashD 1 Reply Last reply Reply Quote 0
                • dotdashD
                  dotdash @JKnott
                  last edited by

                  @JKnott said in Cable Modem Hack - Cable Haunt pfSense rule?:

                  Comcast is moving everyone to IPv6 and providing only carrier grade NAT for IPv4.

                  Maybe in another ten years. Right now every Comcast residential and business customer gets a public ipv4 address. You can easily get a /29 on a business cable line, and a larger subnet on fiber. Please don't spread misinformation.

                  JKnottJ 1 Reply Last reply Reply Quote 1
                  • JKnottJ
                    JKnott @dotdash
                    last edited by

                    @dotdash

                    According to what I read above, the OP seems to be saying they have a 10. address for the WAN. That would indicate NAT is in use. Perhaps @chpalmer could verify whether or not their WAN address is 10. or not.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • N
                      NGUSER6947
                      last edited by

                      I am confused about this. My network config is like this:

                      Internet-->Cable modem-->NetGate Firewall-->My Stuff

                      If the NetGate firewall is configured to block any unsolicited traffic coming in and only allow traffic that was requested from downstream of the firewall, how is this hack a risk to me?

                      Note I have mine configured with the default rules, nothing removed or added.

                      Thanks.

                      provelsP 1 Reply Last reply Reply Quote 0
                      • provelsP
                        provels @NGUSER6947
                        last edited by provels

                        @NGUSER6947 In theory, you could have malware installed on your computer via a scam email or web page, or even a hacked legitimate web page, which would attack your modem from the LAN net. Yeah, you can block access to the modem's management address from the LAN, but that would make reading modem stats or remotely rebooting it (if either are supported) inconvenient.

                        Peder

                        MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                        BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                        1 Reply Last reply Reply Quote 0
                        • chpalmerC
                          chpalmer
                          last edited by

                          Modems are also available via their maintenance address on your local node. That means that using the right address you can ping or even access your neighbors modem. Without any logging available by much of anyone.

                          So in theory one could reboot their neighbors modem if it had a reboot button and no password access. Also in theory one could infect their neighbors modem.

                          Comcast only uses local IPv6 addresses for this. Most other ISP's use local IPv4 space.

                          Triggering snowflakes one by one..
                          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            @TAC57 said in Cable Modem Hack - Cable Haunt pfSense rule?:

                            Steve Gibson says

                            That guys says a lot of shit! Most if it utter nonsense.. heheheh

                            But sure if you want to block 8080 to your modems 192.168.100.1 IP... Have fun... Put a rule on your lan that blocks dest 192.168.100.1 port 8080... done!

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 1
                            • S
                              serbus
                              last edited by serbus

                              Hello!

                              https://docs.netgate.com/pfsense/en/latest/firewall/preventing-rfc1918-traffic-from-exiting-a-wan-interface.html
                              https://github.com/pfsense/docs/blob/master/source/firewall/preventing-rfc1918-traffic-from-exiting-a-wan-interface.rst

                              ?

                              And because someone, like me, might ask/wonder...

                              https://forum.netgate.com/topic/119431/block-private-networks-what-does-that-do-what-is-it-used-for

                              John

                              Lex parsimoniae

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.