[ale] OT: What the hell is XSS in Comcast land?

Alex Carver agcarver+ale at acarver.net
Mon Aug 12 20:32:22 EDT 2013 

On 8/12/2013 17:16, Jim Lynch wrote:
> On 08/12/2013 04:36 PM, Alex Carver wrote:
>> Consumer firmware is exactly why I replaced the firmware in the router
>> the moment I bought it.  It's especially important considering I use
>> features that Linksys' own firmware does not support (changing port
>> number when mapping, supporting multiple IPs on WAN, etc.) Installing
>> is fairly trivial now, plenty of tools for multiple operating systems
>> and OpenWRT now has Lua scripts to give you a web configuration system
>> so you technically don't have to fiddle with terminal access.  It took
>> me almost as much time to set up the wiring for the firmware as it did
>> to install the firmware itself.  Customizing took a little time but
>> for most applications it's not bad.
> I'm still running the original firmware because, if I understand OpenWRT
> it uses iptables, which is probably the most non intuitive, complex and
> frustrating software on the planet.  The firmware for the Linksys has
> the right idea.  Fill in the blanks for what ports you want routed to
> where, and block the rest, not some arcane stuff like:
>
> # iptables -A INPUT -i eth0 -s x.y.z.s/32 -j DROP
> iptables -A INPUT -i eth0 -s x.y.z.c/32 -j DROP
> iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
> iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
> # iptables -A INPUT -i eth0 -s x.y.z.s/32 -j DROP
> iptables -A INPUT -i eth0 -s x.y.z.c/32 -j DROP
> iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
> iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
>
> Total unnecessary gibberish.  Designed to keep sys admins employed!

Eh, you get used to it.  Unfortunately Linksys' firmware does not allow 
port remapping, just 1-to-1 mapping.  For example, if I want to have a 
web server on public IP port 8080, the internal host has to be running a 
web server also on port 8080 because Linksys' firmware won't let me 
change it on the fly.  However, iptables does let me change it so my 
internal server can use the default 80 (good for viewing the server from 
another internal machine without remembering which port I used) while 
the external link can stay at 8080.

However, the OpenWRT project DID create Lua/web scripting that automates 
the whole iptables process so it looks very much like what you describe 
of Linksys' firmware interface so you don't have to touch the bare 
command line if you don't want to.

More information about the Ale mailing list