Cable Modem Hack - Cable Haunt pfSense rule?

awebster

Generally speaking, the modem will have a non-routable IP until such time as it has acquired a public IP from the Cable network infrastructure, which then becomes the primary IP. The non-routable IP continues to be accessible after this.
This is a source of much confusion / issues when pfSense accidentally gets a non-routable IP from the modem instead of the expected public IP when it requests a DHCP address.

chpalmer

I think you misunderstand.. My cable modem is a simple bridge. It has no router capability nor does it accept my WAN IP for me. My router (pfsense) asks my ISP DHCP server for the address through the bridge (modem). The modem does ask for a "maintenance" address from the ISP.. So my modem GUI will have actually two addresses. Both RFC 1918. One for me (192.168.100.1 built in) and one for the ISP (10.20.x.x in my area given to it via DHCP) (Comcast uses IPv6 addresses as maintenance addresses) If one was to block my network from passing all RFC 1918 addresses out the WAN then we would not be able to access our cable modem GUI. Any bridge only modem or modem put into bridge mode works this way.

As it is I can see every maintenance address in my node. (my neighbors modems)

Every router I have ever used passes RFC 1918 out the WAN as long as it outside of my LAN subnets. I would not want it otherwise.

awebster

In fact, we are talking about the same thing, only in your case Comcast gave you a private IP instead of a public IP (shame on them), consequently, filtering RFC1918 outbound doesn't work so well.
Every setup I do, if the WAN side has a public IP, has an RFC1918 outbound filter to prevent data leakage, so implicitly protects the cable modem, however, if you can view your neighbor's cable modems that is a problem, presumably they can see yours. The Cablehaunt vuln is only supposed to be exposed on the ethernet port.

chpalmer

@awebster

No.. I am not a Comcast customer.. I only mentioned them because they hand out IPv6 maintenance addresses.

My ISP hands out the modem maintenance address in the 10.20.x.x range.

The maintenance address does not get me internet access. It only allows the ISP to access my modem for their use reboot modem look at signals ect. My modem does not care what my public IP address is nor is does it interfere with that process. It is only a bridge.

Why would any ISP want to use public IP space to maintain modems on their system?

JKnott

@awebster said in Cable Modem Hack - Cable Haunt pfSense rule?:

Comcast gave you a private IP instead of a public IP (shame on them), consequently, filtering RFC1918 outbound doesn't work so well.

Comcast is moving everyone to IPv6 and providing only carrier grade NAT for IPv4.

dotdash

@JKnott said in Cable Modem Hack - Cable Haunt pfSense rule?:

Comcast is moving everyone to IPv6 and providing only carrier grade NAT for IPv4.

Maybe in another ten years. Right now every Comcast residential and business customer gets a public ipv4 address. You can easily get a /29 on a business cable line, and a larger subnet on fiber. Please don't spread misinformation.

JKnott

@dotdash

According to what I read above, the OP seems to be saying they have a 10. address for the WAN. That would indicate NAT is in use. Perhaps @chpalmer could verify whether or not their WAN address is 10. or not.

NGUSER6947

I am confused about this. My network config is like this:

Internet-->Cable modem-->NetGate Firewall-->My Stuff

If the NetGate firewall is configured to block any unsolicited traffic coming in and only allow traffic that was requested from downstream of the firewall, how is this hack a risk to me?

Note I have mine configured with the default rules, nothing removed or added.

Thanks.

provels

@NGUSER6947 In theory, you could have malware installed on your computer via a scam email or web page, or even a hacked legitimate web page, which would attack your modem from the LAN net. Yeah, you can block access to the modem's management address from the LAN, but that would make reading modem stats or remotely rebooting it (if either are supported) inconvenient.

chpalmer

Modems are also available via their maintenance address on your local node. That means that using the right address you can ping or even access your neighbors modem. Without any logging available by much of anyone.

So in theory one could reboot their neighbors modem if it had a reboot button and no password access. Also in theory one could infect their neighbors modem.

Comcast only uses local IPv6 addresses for this. Most other ISP's use local IPv4 space.

johnpoz

@TAC57 said in Cable Modem Hack - Cable Haunt pfSense rule?:

Steve Gibson says

That guys says a lot of shit! Most if it utter nonsense.. heheheh

But sure if you want to block 8080 to your modems 192.168.100.1 IP... Have fun... Put a rule on your lan that blocks dest 192.168.100.1 port 8080... done!

serbus

Hello!

https://docs.netgate.com/pfsense/en/latest/firewall/preventing-rfc1918-traffic-from-exiting-a-wan-interface.html
https://github.com/pfsense/docs/blob/master/source/firewall/preventing-rfc1918-traffic-from-exiting-a-wan-interface.rst

?

And because someone, like me, might ask/wonder...

https://forum.netgate.com/topic/119431/block-private-networks-what-does-that-do-what-is-it-used-for

John