Am Wed, 29 Mar 2017 04:52:08 -0700 schrieb Jorge Almeida <jjalme...@gmail.com>:
> On Wed, Mar 29, 2017 at 12:45 AM, Neil Bothwick <n...@digimed.co.uk> > wrote: > > On Tue, 28 Mar 2017 22:52:25 -0700, Jorge Almeida wrote: > > > > > > > It's more a privacy issue that security for me. I have a similar > > setup with a virgin cable router, which I set to what they call > > modem mode, where only one of the ports works and connects to my > > router. The one time I ran tech support they were able to see that > > I was using it this way and even reset the modem for me. I suppose > > it makes life easier for them and their typical customers, but it > > was a little unnerving. > > > > > The ISP provided router is officially managed (whatever this means) by > them. As to privacy, I know a packet is visible once it leaves the > router via Wan port. What I worry a bit is about the possibility of > foul play towards the home network. The computers are firewalled via > iptables, but accept connections from 192.168.... What prevents a > hacked router of impersonating a local origin? Block packets originating from the router MAC address and that don't belong to a known connection. Then deploy a managed switch that can do MAC address filtering so it allows only the one MAC address on the router port. This should be safe enough. It would be difficult to get around such a setup. To be even more safe, use VLAN and exclude all your computers from the management port. This, however, doesn't prevent tampering with packets on their way through the router. You could use VPN and place the tunnel endpoints only on trusted routers. That way, your ISP only relays VPN traffic, and ensures the transfer networks below are only used for VPN and your machines accept nothing else. -- Regards, Kai Replies to list-only preferred.