Carl Johnson on 1 Oct 2009 15:45:23 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Comcast "CDV" device & firewalls

i will assume that the cdv is a small narrow black box made by arris, 
which comcast commonly uses these days for their triple play service.
this device isn't really a router per se. it's more like just a plain 
old docsis cable modem with a phone segment tied to it. with that said 
it shouldn't be surprising that you could ssh into an unfirewalled box 
from the outside. you are right about the mac addy trapping. it's one of 
comcast's ways of preventing you from getting more than one public IP. 
all you need to do to release this hold on the MAC and to get the cdv to 
start accepting dhcpdiscovers again is to power cycle it. be aware 
though that quite often these things have their own battery backup built 
in. when you pull the power flip the box over and remove the battery 
from the bottom under the little trap door for a few secs.

1. what firewall rules you implement is up to you. with this in mind, 
whatever you plug into it will be directly and completely exposed to the 
open internet.

2. the phone part does work "similar" to a vonage adapter. what would 
you like to know about it?

2.1. see 1.

3. all you need to do to release this hold on the MAC and to get the cdv 
to start accepting dhcpdiscovers again is to power cycle it.

JP Vossen wrote:
> My Mom just had Comcast switch her over to "Comcast Digital Voice" among 
> other things.  (I assume "Triple-play" but don't know for sure.)  She 
> lives 2 hours away so I was trying to talk to the tech over the phone. 
> He was trying to be helpful, but he just didn't have much of a clue.
> He removed the old cable modem and installed a device he calls the "CDV" 
> which is some kind of combined bridge & VoIP device.  At least, it has 
> coax in and RJ-11 phone + RJ-45 Ethernet out.
> But, of course, there are some problems.
> First, we plugged an Ubuntu laptop directly into the CDV and Internet 
> works, AND I was able to directly SSH into the laptop on port 22 from 
> outside.  That's very surprising, for obvious security reasons.
> Second, when we replaced the laptop with the firewall, the Internet 
> doesn't work again (can't be more specific than that):.  I suspect that 
> something has grabbed the MAC address of the laptop and is expecting 
> that.  (I *hate* that.)  I could spoof the laptop MAC on the FW, but 
> doing that over the phone is tough and the tech had to leave. 
> "Internet" was "working" so...  And in his defense he did spend a good 
> amount of his own time trying to help.
> I have the old cable modem/bridge, so I can put that back on and what 
> I'd really like to do is what I have at my house with FiOS:
> [Bridge] <--> [Firewall] <--> LAN
>                      ^--> Phone segment
> So the problems are:
> 1) The tech had no idea what incoming FW rules are needed (I have an 
> any/any/any outgoing rule for that segment for now).
> 2) I get the impression that they are doing something "tricky" and that 
> the phone part of the CDV doesn't work like my Vonage adapter does.
> 2.1) Related to that, why was I able to SSH in?  Is there no FW/NAT 
> built in to the CDV?  If it was truly a bridge, that would be perfect as 
> far as I am concerned.  But then how does the CDV get an IPA if it's not 
> shared and NAT'ed?  And that leaves gapping security holes that I can't 
> believe even Comcast would be oblivious to.  So what the heck?
> 3) The memorized MAC address.
> Anyone else have a CDV and this kind of setup and can shed some light?
> Thanks!
> JP
> ----------------------------|:::======|-------------------------------
> JP Vossen, CISSP            |:::======|
> My Account, My Opinions     |=========|
> ----------------------------|=========|-------------------------------
> "Microsoft Tax" = the additional hardware & yearly fees for the add-on
> software required to protect Windows from its own poorly designed and
> implemented self, while the overhead incidentally flattens Moore's Law.
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --
> Announcements -
> General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --