JP Vossen on 1 Oct 2009 15:12:33 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Comcast "CDV" device & firewalls

My Mom just had Comcast switch her over to "Comcast Digital Voice" among 
other things.  (I assume "Triple-play" but don't know for sure.)  She 
lives 2 hours away so I was trying to talk to the tech over the phone. 
He was trying to be helpful, but he just didn't have much of a clue.

He removed the old cable modem and installed a device he calls the "CDV" 
which is some kind of combined bridge & VoIP device.  At least, it has 
coax in and RJ-11 phone + RJ-45 Ethernet out.

But, of course, there are some problems.

First, we plugged an Ubuntu laptop directly into the CDV and Internet 
works, AND I was able to directly SSH into the laptop on port 22 from 
outside.  That's very surprising, for obvious security reasons.

Second, when we replaced the laptop with the firewall, the Internet 
doesn't work again (can't be more specific than that):.  I suspect that 
something has grabbed the MAC address of the laptop and is expecting 
that.  (I *hate* that.)  I could spoof the laptop MAC on the FW, but 
doing that over the phone is tough and the tech had to leave. 
"Internet" was "working" so...  And in his defense he did spend a good 
amount of his own time trying to help.

I have the old cable modem/bridge, so I can put that back on and what 
I'd really like to do is what I have at my house with FiOS:

[Bridge] <--> [Firewall] <--> LAN
                     ^--> Phone segment

So the problems are:

1) The tech had no idea what incoming FW rules are needed (I have an 
any/any/any outgoing rule for that segment for now).
2) I get the impression that they are doing something "tricky" and that 
the phone part of the CDV doesn't work like my Vonage adapter does.
2.1) Related to that, why was I able to SSH in?  Is there no FW/NAT 
built in to the CDV?  If it was truly a bridge, that would be perfect as 
far as I am concerned.  But then how does the CDV get an IPA if it's not 
shared and NAT'ed?  And that leaves gapping security holes that I can't 
believe even Comcast would be oblivious to.  So what the heck?
3) The memorized MAC address.

Anyone else have a CDV and this kind of setup and can shed some light?

JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --