In other words, any way to watch for and block any errant packets that the router hardware may send? (ie. "phone home" type packets)
You dont see that on host eg https://en.wikipedia.org/wiki/Out-of-band_management
You have to mirror/intercept network traffic to see it.
Thanks for the replies. Packet duplication looks interesting, although I wouldn't know how to implement that sort of thing.
Is it possible to do something within OpenWRT, or a package, like observe or intercept packets at the OpenWRT software level like in OpenWRT->Network->Interfaces or Devices? Or in Routing, etc? To perhaps see if a packet isn't being routed from another machine, but still wants "out" to the WAN (ie. is from the router), and then check if it is from OpenWRT and disregard it if it is, otherwise block it. That leaves it as likely having originated from the router hardware, in theory.
The packets not pertaining host is in normal forward chain. It is a bit unclear what you want to capture/look at.
1 Like
Any errant packets that the router hardware may send. (ie. "phone home" type packets). Any connections sending data from the router hardware itself. For example, any hardware or chips in the router that may have code on them that sends network traffic.
Chips phoning home (without thier OS?). Interesting.
You can see traffic under:
Status > Realtime Graphs > Connections
- management processor on a(n enterprise) PC can connect network without involvement of host CPU
- OpenWrt does not "phone home" - unlike default router firmware which often does some telemetry.
1 Like
Whatever you want to call it, blobs, BIOS/UEFI, baseband, embedded controller, SoCs. Many devices have been reported to phone home without an OS.
I'm specifically curious if there's any way of blocking packets originating from the router that are not from OpenWRT and are not being forwarded from another machine on the network. I don't know enough about packet inspection or whatever might be required, hence my question.
Yes, absolutely. You can make a firewall rule to block them.
But TBH, I'm confused - are you asking about (?) rogue packets originating out of the OpenWrt, or some other downstream device?
Because your comments like:
That seems to imply you want the OpenWrt to shelf-check/firewall itself twice - and not firewall a downstream router. Can you clarify?
Also, are you saying you don't want the OpenWrt to originate/generate any traffic itself (i.e., block everything from the router)?
(BTW, the interface to select in firewall for traffic originating from the OpenWrt is lo.)
OK, cool.
No. OP ist fearing that the chip in the plastic box could magically generate packets and send them on the wire...
I ask myself how this should be possible without any os.
I know of dirt code in closed source products. I know of "real" OOB/idrac/ilo/BMC with home phone capabilities.... But embedded devices with a open source OS even with blob drivers.... I'm not sure how even...
Well, I was just looking for some help here. If you don't know, then just say so. I don't appreciate the insulting innuendoes.
It's a legitimate request, despite the prickliness of these responses. I've been clear. If you think mockery is helpful, I'll leave.
There are devices that have the capability to send packets from the BIOS, firmware, baseband, soc. There have been reports of such activity going back a decade, from Adups firmware in chips to Tuya devices to Supermicro motherboards.
Great, thanks. What would such a rule look like to identify a packet not originating from OpenWRT itself, but from the router, and not from any other connected devices?
No, I'm trying to understand if there's a way to determine if a packet is from OpenWRT or not, yet originating from the same device. I'd just rather not have to put another firewall (banIP / Pi-Hole, etc) on the WAN side of the router, basically.
Thank you, I'll bear that in mind.
So you want to block packets from devices that can "phone home without an OS" by using the OS which by your own admission can't block them? Think that through.
http://intel.com/content/dam/www/public/us/en/documents/datasheets/i210-ethernet-controller-datasheet.pdf
"management" traffic is completely invisible to the host. you can portscan for MEI port, but host OS does not see it nor in netstat. You disable that in BIOS/EFI setup etc,
It is wildly outside of scope of OpenWrt or any other operating system, it is in BIOS setup and similar, efivars included.
1 Like
And people here try to educate you that you might be completely off track.
Do you actually read posts?
Edit ps. Again. About what kind of hardware do we talk here, to begin with....
No, I didn't say "by using the OS which by your own admission can't block them". If the packets are sent from the device, and the device is running OpenWRT which manages the network connections for the device, I was curious if OpenWRT would have any ability to "see" outbound packets from that hardware, since it is on the same device.
Fair enough, thank you.
1 Like
OK. Your inquiry clarified this. It seems you are referring to the firewall of the OpenWrt's device blocking a [rogue, non-OS] packet originating from itself, and not a device downstream.
I provided how to make the firewall rule for traffic originating from the device, but I'm not sure it's related to your desire of "locating" non-OS rogue packets (?).
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.