Cable Modem Hack - Cable Haunt pfSense rule?

awebster

In fact, we are talking about the same thing, only in your case Comcast gave you a private IP instead of a public IP (shame on them), consequently, filtering RFC1918 outbound doesn't work so well.
Every setup I do, if the WAN side has a public IP, has an RFC1918 outbound filter to prevent data leakage, so implicitly protects the cable modem, however, if you can view your neighbor's cable modems that is a problem, presumably they can see yours. The Cablehaunt vuln is only supposed to be exposed on the ethernet port.

chpalmer

@awebster

No.. I am not a Comcast customer.. I only mentioned them because they hand out IPv6 maintenance addresses.

My ISP hands out the modem maintenance address in the 10.20.x.x range.

The maintenance address does not get me internet access. It only allows the ISP to access my modem for their use reboot modem look at signals ect. My modem does not care what my public IP address is nor is does it interfere with that process. It is only a bridge.

Why would any ISP want to use public IP space to maintain modems on their system?

JKnott

@awebster said in Cable Modem Hack - Cable Haunt pfSense rule?:

Comcast gave you a private IP instead of a public IP (shame on them), consequently, filtering RFC1918 outbound doesn't work so well.

Comcast is moving everyone to IPv6 and providing only carrier grade NAT for IPv4.

dotdash

@JKnott said in Cable Modem Hack - Cable Haunt pfSense rule?:

Comcast is moving everyone to IPv6 and providing only carrier grade NAT for IPv4.

Maybe in another ten years. Right now every Comcast residential and business customer gets a public ipv4 address. You can easily get a /29 on a business cable line, and a larger subnet on fiber. Please don't spread misinformation.

JKnott

@dotdash

According to what I read above, the OP seems to be saying they have a 10. address for the WAN. That would indicate NAT is in use. Perhaps @chpalmer could verify whether or not their WAN address is 10. or not.

NGUSER6947

I am confused about this. My network config is like this:

Internet-->Cable modem-->NetGate Firewall-->My Stuff

If the NetGate firewall is configured to block any unsolicited traffic coming in and only allow traffic that was requested from downstream of the firewall, how is this hack a risk to me?

Note I have mine configured with the default rules, nothing removed or added.

Thanks.

provels

@NGUSER6947 In theory, you could have malware installed on your computer via a scam email or web page, or even a hacked legitimate web page, which would attack your modem from the LAN net. Yeah, you can block access to the modem's management address from the LAN, but that would make reading modem stats or remotely rebooting it (if either are supported) inconvenient.

chpalmer

Modems are also available via their maintenance address on your local node. That means that using the right address you can ping or even access your neighbors modem. Without any logging available by much of anyone.

So in theory one could reboot their neighbors modem if it had a reboot button and no password access. Also in theory one could infect their neighbors modem.

Comcast only uses local IPv6 addresses for this. Most other ISP's use local IPv4 space.

johnpoz

@TAC57 said in Cable Modem Hack - Cable Haunt pfSense rule?:

Steve Gibson says

That guys says a lot of shit! Most if it utter nonsense.. heheheh

But sure if you want to block 8080 to your modems 192.168.100.1 IP... Have fun... Put a rule on your lan that blocks dest 192.168.100.1 port 8080... done!

serbus

Hello!

https://docs.netgate.com/pfsense/en/latest/firewall/preventing-rfc1918-traffic-from-exiting-a-wan-interface.html
https://github.com/pfsense/docs/blob/master/source/firewall/preventing-rfc1918-traffic-from-exiting-a-wan-interface.rst

?

And because someone, like me, might ask/wonder...

https://forum.netgate.com/topic/119431/block-private-networks-what-does-that-do-what-is-it-used-for

John