Lincoln Fessenden on 1 Oct 2009 15:20:16 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Comcast "CDV" device & firewalls

JP Vossen wrote:
> My Mom just had Comcast switch her over to "Comcast Digital Voice" among 
> other things.  (I assume "Triple-play" but don't know for sure.)  She 
> lives 2 hours away so I was trying to talk to the tech over the phone. 
> He was trying to be helpful, but he just didn't have much of a clue.
> He removed the old cable modem and installed a device he calls the "CDV" 
> which is some kind of combined bridge & VoIP device.  At least, it has 
> coax in and RJ-11 phone + RJ-45 Ethernet out.
> But, of course, there are some problems.
> First, we plugged an Ubuntu laptop directly into the CDV and Internet 
> works, AND I was able to directly SSH into the laptop on port 22 from 
> outside.  That's very surprising, for obvious security reasons.
> Second, when we replaced the laptop with the firewall, the Internet 
> doesn't work again (can't be more specific than that):.  I suspect that 
> something has grabbed the MAC address of the laptop and is expecting 
> that.  (I *hate* that.)  I could spoof the laptop MAC on the FW, but 
> doing that over the phone is tough and the tech had to leave. 
> "Internet" was "working" so...  And in his defense he did spend a good 
> amount of his own time trying to help.
> I have the old cable modem/bridge, so I can put that back on and what 
> I'd really like to do is what I have at my house with FiOS:
> [Bridge] <--> [Firewall] <--> LAN
>                      ^--> Phone segment
> So the problems are:
> 1) The tech had no idea what incoming FW rules are needed (I have an 
> any/any/any outgoing rule for that segment for now).
> 2) I get the impression that they are doing something "tricky" and that 
> the phone part of the CDV doesn't work like my Vonage adapter does.
> 2.1) Related to that, why was I able to SSH in?  Is there no FW/NAT 
> built in to the CDV?  If it was truly a bridge, that would be perfect as 
> far as I am concerned.  But then how does the CDV get an IPA if it's not 
> shared and NAT'ed?  And that leaves gapping security holes that I can't 
> believe even Comcast would be oblivious to.  So what the heck?
> 3) The memorized MAC address.
> Anyone else have a CDV and this kind of setup and can shed some light?
> Thanks!
> JP
> ----------------------------|:::======|-------------------------------
> JP Vossen, CISSP            |:::======|
> My Account, My Opinions     |=========|
> ----------------------------|=========|-------------------------------
> "Microsoft Tax" = the additional hardware & yearly fees for the add-on
> software required to protect Windows from its own poorly designed and
> implemented self, while the overhead incidentally flattens Moore's Law.
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --
> Announcements -
> General Discussion  --

Not quite the same but I can tell you my cable modem does the same thing 
by "memorizing" the mac and only talking to that device.  A simple modem 
reset (unplug power / wait / plug back in) fixes it every time.

-Linc Fessenden

In the Beginning there was nothing, which exploded - Yeah right...

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --