LAN security, Filezilla, ULA, TD-W9980, Engineering

  • Daily nerd configuration fun. Now I've got secured encrypted connection over IPv6 on LAN, using link local addresses alone. As well as just as additional configuration challenge, also did configuration with iptables so that even if the listen interface wouldn't be limited to link local, firewall would still limit access to single other link local address. So ok, configuration is overkill. But I had to configure each layer separately to test it works. So firewalling is working perfectly, of course link local addressing is working. All the server software is working and clients are working, and so on. Some people claim that IPv6 is insecure because lack of NAT. So what's wrong with my configuration. If you've got a good idea, please let me know.
  • While doing the thing above, I encountered once again totally misleading and horrible absolute lie error messages. If I give link local address to Filezilla, without specifying interface, the error message says that I've given invalid port number. Invalid port number my .... BLEEP! Lies, lies, lies. Ok, but yeah, sure. It works just fine when everything is configured correctly. And of course allowed user login using ssh-ed25519-key.
  • IPv6 - I'm well aware that instead of using link local addresses, it's recommended to use Unique Local Address (ULA) addressing in general. But in this case, having just TCP connection over local Ethernet / IPv6 is just fine to use link-local addresses. If you're using static global addresses those are of course fine, when properly firewalled. That's the usual way of dealing with IPv6. It's naturally different story if you've got something like large number of sensors or servers, which aren't supposed to be accessible from the Internet. Then using ULA is totally logical, and secure bridge between the public addressing and back-end systems. Whatever that is, is is data aggregator, port forwarding, traditional proxy and so on, list goes on.
  • I had to configure a TD-W9980 firewall for a friend. Based on quick testing, I'm starting to have a strong feeling that the firewalls IPv6 is actually totally broken and the rule matching / configuration doesn't work correctly. Great work. I've configured quite a bunch of firewalls, and this one doesn't seem to make sense. Just bit more extra testing and then I'll draw my conclusions. - Did I say, Internet of Sh*t (IoS)? It seems that even my firewall belongs to that category. Whatever I do, any of the firewall rules won't match. Even if similar rules work perfectly with IPv4 addresses. So sure, I know how to configure the rules, addresses, subnets and masks, as well as other required parameters of the rule. Any of the rules won't work. Only the generic firewall on / off as well as allow / deny by default works. But no rules will match, not with 'catch all' rules, nor with very specific single IPv6 address / 128 + single tcp port. It's totally broken. Well, what did I expect? Haha. Phew. Also interestingly when deleting rules, even if firewall is disabled, and references on rule table have been removed. It still claims that some of the IPv6 LAN / WAN hosts are still in use, and won't allow removing the rules. I think this is utter IoS stuff. I even bothered to check that the manual doesn't have any additional info. Of course it doesn't, it's totally useless. I guess it's time to install alternate firmware. - I guess this isn't first or last consumer grade "firewall" which got totally broken IPv6 features.
  • Talked with friends about washing machines. Found out that it seems that there has been 'engineers and designers' out there once again. They've done so ridiculous work that it's absolutely horrible and sucks totally. The detergent bin doesn't work at all with liquid detergents. I just tried to use liquid detergent instead of powder. And it really doesn't work, even if you use the module especially designed for washing liquids. The module is so badly manufactured and seals poorly, that it literally leaks empty in few minutes. And I found out that multiple manufacturers got the exactly same module being used. What a fail. Whoever designed this, thank you so much. Got so annoyed about their engineering skills, that I simply had to fix it. I just rubbed thin layer of wax to the bottom of the detergent bin, and then applied some liquid hardening gum 'glue' to the bottom of the blocker flap. Now it finally works and seal well enough, but still not totally perfectly. Which is the preferred solution, because it still allows plain water to drain over several hours. Thick detergent liquid won't leak practically at all.

2019-05-12