Balloon race
OK... Seems like my months of correspondance with sky has finally reached somebody who knows what they are talking about. I'll refrain from naming the very helpful chap who phoned me out of the blue yesterday, just in case he gets inundated with support calls, but the upshot is that Sky have given me permission to use a particular work-around for the problem.
Now it doesn't actually fix the bug in their firmware at all, so doesn't really help anybody else who is in the same position, and I'm still waiting to hear about the GPL source code, but at least I can move on and stop worrying about their router upgrading itself to a broken firmware as soon as I reboot it.
Now to move on to getting the OpenWRT box in the middle of the network performing correctly..
OK. Geting closer.
Thanks to a Commnuity Updates firmware version of 1.03.87, I was able to get telnet access to the Sky router in it's new version. A bit of digging shows that, at very least, there has been some changes to the firewall code. Here's the outputs from iptables --list on each version:
Old firmware:
#
# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REAIM_IN all -- anywhere anywhere
INPUT_UDP udp -- anywhere anywhere
INPUT_TCP tcp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
Chain FORWARD (policy DROP)
target prot opt source destination
HTTP tcp -- anywhere anywhere tcp dpt:80
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
FORWARD_UDP udp -- anywhere anywhere
FORWARD_TCP tcp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP icmp -- anywhere anywhere state INVALID
Chain ALGS (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain BLOCK (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `[BLOCK]'
REJECT tcp -- anywhere anywhere tcp dpt:80 reject-with http-block
DROP all -- anywhere anywhere
Chain CONCHK (1 references)
target prot opt source destination
Chain DOS (6 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere limit: avg 1/sec burst 4 tcp flags:SYN,RST,ACK/SYN
RETURN udp -- anywhere anywhere limit: avg 1/sec burst 4
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 5/sec burst 60
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `[DOS] '
DROP all -- anywhere anywhere
Chain FORWARD_TCP (1 references)
target prot opt source destination
ALGS tcp -- anywhere anywhere tcp spt:6701
ALGS tcp -- anywhere anywhere tcp spt:80
DOS tcp -- anywhere anywhere state INVALID,NEW tcp flags:SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere
Chain FORWARD_UDP (1 references)
target prot opt source destination
DOS udp -- anywhere anywhere
RETURN udp -- anywhere anywhere
Chain HTTP (1 references)
target prot opt source destination
CONCHK all -- anywhere anywhere STRING match GET
Chain INPUT_TCP (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere www.routerlogin.comtcp dpt:80
SCAN all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-
ports-weight: 1
DOS tcp -- anywhere anywhere state INVALID,NEW tcp flags:SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere
Chain INPUT_UDP (1 references)
target prot opt source destination
SCAN all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-
ports-weight: 1
DOS udp -- anywhere anywhere
RETURN udp -- anywhere anywhere
Chain REAIM_IN (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:1863:1864
ACCEPT tcp -- anywhere anywhere tcp dpt:5566
ACCEPT tcp -- anywhere anywhere tcp dpt:5190
ACCEPT tcp -- anywhere anywhere tcp dpt:4443
ACCEPT tcp -- anywhere anywhere tcp dpts:40000:40099
ACCEPT tcp -- anywhere anywhere tcp dpt:1864
ACCEPT tcp -- anywhere anywhere tcp dpt:5566
ACCEPT tcp -- anywhere anywhere tcp dpt:5190
ACCEPT tcp -- anywhere anywhere tcp dpt:4443
ACCEPT udp -- anywhere anywhere udp dpts:40000:41000
Chain SCAN (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `[PORT SCAN]'
DROP all -- anywhere anywhere
#
# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DOS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DOS udp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
PROXY all -- anywhere anywhere
LOCAL_SERVICE all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
OUT_FILTER all -- anywhere anywhere
CFILTER all -- anywhere anywhere
FW_BASIC all -- anywhere anywhere
IN_FILTER all -- anywhere anywhere
FW_UPNP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain BLOCK (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `[BLOCK] '
REJECT tcp -- anywhere anywhere tcp dpt:80 reject-with http-block
Chain CFILTER (1 references)
target prot opt source destination
HTTP tcp -- anywhere anywhere tcp dpt:80
flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match GET
HTTP tcp -- anywhere anywhere tcp dpt:80
flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match POST
HTTP tcp -- anywhere anywhere tcp dpt:80
flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match HEAD
Chain DOS (6 references)
target prot opt source destination
RETURN all -- anywhere anywhere
SCAN all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-
ports-weight: 3 hi-ports-weight: 1
RETURN tcp -- anywhere anywhere limit: avg 100/sec burst 100 tcp
flags:SYN,RST,ACK/SYN
RETURN udp -- anywhere anywhere limit: avg 100/sec burst 100
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 5/sec burst 60
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `
[DOS] '
DROP all -- anywhere anywhere
Chain FW_BASIC (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to
PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DOS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DOS udp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere MARK match 0x2511
ACCEPT all -- anywhere anywhere
Chain FW_UPNP (1 references)
target prot opt source destination
Chain HTTP (3 references)
target prot opt source destination
Chain IN_FILTER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain LOCAL_SERVICE (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere MARK match 0x2511
ACCEPT tcp -- anywhere www.routerlogin.comtcp dpt:80
ACCEPT icmp -- anywhere anywhere
Chain OUT_FILTER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain PROXY (1 references)
target prot opt source destination
Chain SCAN (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `
[PORT SCAN] '
DROP all -- anywhere anywhere
How to disable Sky Broadband's router's auto-upgrade .. at least until the next time you reboot it..
Unplug telephone line.
Restore back to 1.02.28 using the firmware image on the CD.
Use a URL injection hack to enable telnet.
telnet in!
ps -wax
look for "/usr/sbin/provisioning_ap"
kill it!
and for good measure:
nvram set "prov_last_attempt_time=2008-12-31 23:59:59"
nvram set "prov_last_update_time=2008-12-31 23:59:59"
although I yet don't know if this will actually stop it trying again.
Now you can plug the telephone line back in...
Here is a list of responses from Sky Technical Support with regard to my contention that there is a bug in the latest v1.3.87 firmware that was not present in the previous version:
Please verify if the Sky Broadband Router has been upgraded with the new version of firmware.
The problem would appear to be the IP address 192.168.0.0 this should be 192.168.0.1 (this was because I was describing the various subnets..)
I have escalated your problem to our fault management team for a solution, they will reply direct to you.No they didn't.
I have today replaced your broadband router which should be with you in 5 days. It was. On the old version. Whch worked fine, until this one upgraded itself too.
Until we know for definite that the same problem has occurred again then I wouldn't like to pin point the cause at this moment in time.
I have looked into this for and I have been advised to ask that you change the subnet on the other system to match with your system that connects.Oh, so I mess up my network to accomodate you? Even if I could. I've got things on seperate subnets for a reason!
We appreciate you pointing out this possible flaw with our new firmware. As you can imagine, this is a flaw that would not affect the majority of our customers, and as such, we were not aware of any possible issues. I have passed the details of this issue to our testing team, who will attempt to replicate the issue you are experiencing, and hopefully, find a resolution to this issue. However, due to the nature of firmware updates, it may be some time before a fix is in place. As a workaround to this issue, you can try connecting another router to your Sky router via an ethernet cable, and then make all the necessary adjustment to the second router. In theory, the Sky router would be used simply as a modem, and the second router would manage all your firewall rules. Ah, someone who appears as if they know what they are talking about. Unfortunately I can't just use the sky router "as a modem"..
So I asked for the source, which they have to supply under the GPL:
The source code for the firmware you are asking for cannot be given out over the telephone or in an email. However I am including the address you can write to regarding this matter.
Sky Broadband will only work with the Sky Broadband Box that we provided to you. We have launched our service in this way so that we can provide the best technical support should you have any problems.ROFLMAO
I apologise for any inconvenience this may have caused and any misunderstanding.
I have read all your comments that you have made and I like to address all areas of your queries:
1. Q. Your query relate to a daisy chain network.
1. A. As your queries relate to specialised area of expertise, Sky Broadband will only work with the Sky Broadband Box that we provided to you. We have launched our service in this way so that we can provide the best technical support should you have any problems.
2. Q. The upgrade of the firmware software version V1.02.28 to the current version 1.03.87.
2. A. In a situation where this sort of automation helps to maintain consistency, the application of security patches commonly occurs in this manner. This is part of the update to fix problems with a computer program or its supporting data; this also includes fixing bugs, replacing graphics and improving the usability or performance.
3. Q. (You’re aware, of course, that you have to publish the source for anything produced using existing GPL code.)
3. A. Our Programmers publish and apply patches in various forms. Because proprietary software authors withhold their source code, their patches are distributed as binary executables instead of source. This type of patch modifies the program executable the program the user actually runs either by modifying the binary file to include the fixes or by completely replacing it. Proprietary software has restrictions on use or private modification or with restrictions judged to be excessive on copying or publishing of modified or unmodified versions. These restrictions are enforced by either legal or technical means.
4. Q. I think this categorically proves now that there is a bug in the new firmware you are auto-upgrading. I know that this will not affect the majority of your users, however it is still a fault and it is affecting us.
4. A. As part of your terms and conditions of signing up to Sky broadband, you agreed to use our hardware that we supplied. For information on Sky Broadband Terms and Conditions please visit our website on the following link:
http://www.sky.com/portal/site/skycom/security
In full we do not allow open discussion on this area in any department with in the company and we are unable to furnish you with the information you require as explained above, we have now closed this case.
Did any of those Answers match the Questions? Did any of that make any sense at all? Either way, they seem not to want to talk to me any more. Strange that I've never heard from either of the other teams that my query was supposedly forwarded to.
Oh, and netgear don't want to provide the GPL sources instead; they say Ask Sky..