Thanks Sky

OK... Seems like my months of correspondance with sky has finally reached somebody who knows what they are talking about. I'll refrain from naming the very helpful chap who phoned me out of the blue yesterday, just in case he gets inundated with support calls, but the upshot is that Sky have given me permission to use a particular work-around for the problem.

Now it doesn't actually fix the bug in their firmware at all, so doesn't really help anybody else who is in the same position, and I'm still waiting to hear about the GPL source code, but at least I can move on and stop worrying about their router upgrading itself to a broken firmware as soon as I reboot it.

Now to move on to getting the OpenWRT box in the middle of the network performing correctly..

Sky BB router woes

OK. Geting closer.

Thanks to a Commnuity Updates firmware version of 1.03.87, I was able to get telnet access to the Sky router in it's new version. A bit of digging shows that, at very least, there has been some changes to the firewall code. Here's the outputs from iptables --list on each version:

Old firmware:

#
# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
REAIM_IN   all  --  anywhere             anywhere
INPUT_UDP  udp  --  anywhere             anywhere
INPUT_TCP  tcp  --  anywhere             anywhere
DOS        icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination
HTTP       tcp  --  anywhere             anywhere           tcp dpt:80
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
FORWARD_UDP  udp  --  anywhere              anywhere
FORWARD_TCP  tcp  --  anywhere             anywhere
DOS        icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
DROP       icmp --  anywhere             anywhere           state INVALID

Chain ALGS (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain BLOCK (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           LOG level warning prefix `[BLOCK]'
REJECT     tcp  --  anywhere             anywhere           tcp dpt:80 reject-with http-block
DROP       all  --  anywhere             anywhere

Chain CONCHK (1 references)
target     prot opt source               destination

Chain DOS (6 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere           limit: avg 1/sec burst 4 tcp flags:SYN,RST,ACK/SYN
RETURN     udp  --  anywhere             anywhere           limit: avg 1/sec burst 4
RETURN     icmp --  anywhere             anywhere           icmp echo-request limit: avg 5/sec burst 60
LOG        all  --  anywhere             anywhere           limit: avg 10/sec burst 5 LOG level warning prefix `[DOS] '
DROP       all  --  anywhere             anywhere

Chain FORWARD_TCP (1 references)
target     prot opt source               destination
ALGS       tcp  --  anywhere             anywhere           tcp spt:6701
ALGS       tcp  --  anywhere             anywhere           tcp spt:80
DOS        tcp  --  anywhere             anywhere           state INVALID,NEW tcp flags:SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere

Chain FORWARD_UDP (1 references)
target     prot opt source               destination
DOS        udp  --  anywhere             anywhere
RETURN     udp  --  anywhere             anywhere

Chain HTTP (1 references)
target     prot opt source               destination
CONCHK     all  --  anywhere             anywhere           STRING match GET

Chain INPUT_TCP (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             www.routerlogin.comtcp dpt:80
SCAN       all  --  anywhere             anywhere           psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-

ports-weight: 1
DOS        tcp  --  anywhere             anywhere           state INVALID,NEW tcp flags:SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere

Chain INPUT_UDP (1 references)
target     prot opt source               destination
SCAN       all  --  anywhere             anywhere           psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-

ports-weight: 1
DOS        udp  --  anywhere             anywhere
RETURN     udp  --  anywhere             anywhere

Chain REAIM_IN (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp dpts:1863:1864
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:5566
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:5190
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:4443
ACCEPT     tcp  --  anywhere             anywhere           tcp dpts:40000:40099

ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:1864
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:5566
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:5190
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:4443
ACCEPT     udp  --  anywhere             anywhere           udp dpts:40000:41000


Chain SCAN (2 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           limit: avg 10/sec burst 5 LOG level warning prefix `[PORT SCAN]'
DROP       all  --  anywhere             anywhere
#

New Firmware

# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
DOS        tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN
DOS        udp  --  anywhere             anywhere
DOS        icmp --  anywhere             anywhere           icmp echo-request
PROXY      all  --  anywhere             anywhere
LOCAL_SERVICE  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
OUT_FILTER  all  --  anywhere             anywhere
CFILTER    all  --  anywhere             anywhere
FW_BASIC   all  --  anywhere             anywhere
IN_FILTER  all  --  anywhere             anywhere
FW_UPNP    all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain BLOCK (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           LOG level warning prefix `[BLOCK] '
REJECT     tcp  --  anywhere             anywhere           tcp dpt:80 reject-with http-block

Chain CFILTER (1 references)
target     prot opt source               destination
HTTP       tcp  --  anywhere             anywhere           tcp dpt:80 

flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match GET
HTTP       tcp  --  anywhere             anywhere           tcp dpt:80 

flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match POST
HTTP       tcp  --  anywhere             anywhere           tcp dpt:80 

flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match HEAD

Chain DOS (6 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
SCAN       all  --  anywhere             anywhere           psd weight-threshold: 21 delay-threshold: 300 lo-

ports-weight: 3 hi-ports-weight: 1
RETURN     tcp  --  anywhere             anywhere           limit: avg 100/sec burst 100 tcp 

flags:SYN,RST,ACK/SYN
RETURN     udp  --  anywhere             anywhere           limit: avg 100/sec burst 100
RETURN     icmp --  anywhere             anywhere           icmp echo-request limit: avg 5/sec burst 60
LOG        all  --  anywhere             anywhere           limit: avg 10/sec burst 5 LOG level warning prefix `

[DOS] '
DROP       all  --  anywhere             anywhere

Chain FW_BASIC (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST/SYN TCPMSS clamp to 

PMTU
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
DOS        tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN
DOS        udp  --  anywhere             anywhere
DOS        icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     all  --  anywhere             anywhere           MARK match 0x2511
ACCEPT     all  --  anywhere             anywhere

Chain FW_UPNP (1 references)
target     prot opt source               destination

Chain HTTP (3 references)
target     prot opt source               destination

Chain IN_FILTER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain LOCAL_SERVICE (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           MARK match 0x2511
ACCEPT     tcp  --  anywhere             www.routerlogin.comtcp dpt:80
ACCEPT     icmp --  anywhere             anywhere

Chain OUT_FILTER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain PROXY (1 references)
target     prot opt source               destination

Chain SCAN (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           limit: avg 10/sec burst 5 LOG level warning prefix `

[PORT SCAN] '
DROP       all  --  anywhere             anywhere

I'm no iptables expert, but maybe someone can help - why does this one not forward packets between the internet and machine on a different subnet behind a gateway on the LAN side??

Sky BB auto updates...

How to disable Sky Broadband's router's auto-upgrade .. at least until the next time you reboot it..

Unplug telephone line.
Restore back to 1.02.28 using the firmware image on the CD.
Use a URL injection hack to enable telnet.
telnet in!
ps -wax
look for "/usr/sbin/provisioning_ap"
kill it!

and for good measure:
nvram set "prov_last_attempt_time=2008-12-31 23:59:59"
nvram set "prov_last_update_time=2008-12-31 23:59:59"

although I yet don't know if this will actually stop it trying again.

Now you can plug the telephone line back in...

More Sky Broadband Mutterings

Here is a list of responses from Sky Technical Support with regard to my contention that there is a bug in the latest v1.3.87 firmware that was not present in the previous version:


Please verify if the Sky Broadband Router has been upgraded with the new version of firmware.

The problem would appear to be the IP address 192.168.0.0 this should be 192.168.0.1 (this was because I was describing the various subnets..)

I have escalated your problem to our fault management team for a solution, they will reply direct to you.No they didn't.

I have today replaced your broadband router which should be with you in 5 days. It was. On the old version. Whch worked fine, until this one upgraded itself too.

Until we know for definite that the same problem has occurred again then I wouldn't like to pin point the cause at this moment in time.

I have looked into this for and I have been advised to ask that you change the subnet on the other system to match with your system that connects.Oh, so I mess up my network to accomodate you? Even if I could. I've got things on seperate subnets for a reason!


We appreciate you pointing out this possible flaw with our new firmware. As you can imagine, this is a flaw that would not affect the majority of our customers, and as such, we were not aware of any possible issues. I have passed the details of this issue to our testing team, who will attempt to replicate the issue you are experiencing, and hopefully, find a resolution to this issue. However, due to the nature of firmware updates, it may be some time before a fix is in place. As a workaround to this issue, you can try connecting another router to your Sky router via an ethernet cable, and then make all the necessary adjustment to the second router. In theory, the Sky router would be used simply as a modem, and the second router would manage all your firewall rules. Ah, someone who appears as if they know what they are talking about. Unfortunately I can't just use the sky router "as a modem"..

So I asked for the source, which they have to supply under the GPL:
The source code for the firmware you are asking for cannot be given out over the telephone or in an email. However I am including the address you can write to regarding this matter.

Sky Broadband will only work with the Sky Broadband Box that we provided to you. We have launched our service in this way so that we can provide the best technical support should you have any problems.ROFLMAO


I apologise for any inconvenience this may have caused and any misunderstanding.
I have read all your comments that you have made and I like to address all areas of your queries:
1. Q. Your query relate to a daisy chain network.
1. A. As your queries relate to specialised area of expertise, Sky Broadband will only work with the Sky Broadband Box that we provided to you. We have launched our service in this way so that we can provide the best technical support should you have any problems.
2. Q. The upgrade of the firmware software version V1.02.28 to the current version 1.03.87.
2. A. In a situation where this sort of automation helps to maintain consistency, the application of security patches commonly occurs in this manner. This is part of the update to fix problems with a computer program or its supporting data; this also includes fixing bugs, replacing graphics and improving the usability or performance.
3. Q. (You’re aware, of course, that you have to publish the source for anything produced using existing GPL code.)
3. A. Our Programmers publish and apply patches in various forms. Because proprietary software authors withhold their source code, their patches are distributed as binary executables instead of source. This type of patch modifies the program executable the program the user actually runs either by modifying the binary file to include the fixes or by completely replacing it. Proprietary software has restrictions on use or private modification or with restrictions judged to be excessive on copying or publishing of modified or unmodified versions. These restrictions are enforced by either legal or technical means.
4. Q. I think this categorically proves now that there is a bug in the new firmware you are auto-upgrading. I know that this will not affect the majority of your users, however it is still a fault and it is affecting us.
4. A. As part of your terms and conditions of signing up to Sky broadband, you agreed to use our hardware that we supplied. For information on Sky Broadband Terms and Conditions please visit our website on the following link:
http://www.sky.com/portal/site/skycom/security
In full we do not allow open discussion on this area in any department with in the company and we are unable to furnish you with the information you require as explained above, we have now closed this case.

Did any of those Answers match the Questions? Did any of that make any sense at all? Either way, they seem not to want to talk to me any more. Strange that I've never heard from either of the other teams that my query was supposedly forwarded to.

Oh, and netgear don't want to provide the GPL sources instead; they say Ask Sky..

iPlayer, 4od, download locations..

I've been fighting with this for a bit, off and on. I've got iPlayer and 4od installed on my laptop, but it's got precious little space on it to actually store anything. (Silly thing came with the hard disc partitioned into three drives, and c:\ is currently languishing with only about 500MB spare on it.) I've been unable to do more than download one thing at a time.

Now, I've got a couple of TB elsewhere on the LAN, thanks to some little nas boxes, but how to get iPlayer to use it.

It didn't take too long to find a registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\Kontiki\4od1\downloadDir (and iPlayer and Sky are in the same location) but after I pointed it at \\nas\public\Kontiki\4od1\ downloads would fail immediately.

Today I worked it out. Simple really. The Kontiki "Kservice" service is installed to run as the Local System account. Unfortunately this doesn't have access to the nas box! So, I changed the "Log on" option for the service to my user account, which does, restarted the service, and hey presto, it works!

For better security I should really create another dedicated user account for it, and give that access to the nas box, but hey ho, it works for now.

Oh. and 4od support said it was impossible to change download location. Hmm.

Sky broadband router woes

Here at irrelevant towers we have two broadband connections, one from ukonline, and one from Sky broadband.  (They are both easynet brands, and actually connect to pretty much the same kit at the exchange.)  I have  a router/firewall device that does some basic load balancing between the LAN and each WAN link.

Sky supplied us with a customised version of the netgear DG834GT. Part of their customisation is to make the router poll for firmware updates, and install them automatically.

The other day, it updated.  And broke that internet connection. The firewall could connect out to any internet host it liked, but not any of the LAN based clients.  It seems that there is an issue with it routing incoming packtes according to the user specified routing table.  Or maybe their firewall settings are too agressive.  Either way, replies to packets sent to it from outside it's immediate LAN connection don't make it back to the firewall.

Netgear Tech Support have said to speak to Sky, as it's customised.  Sky, after the usual initial crap responses, have eventually decided to throw a replacement router my way.  It's here and in and working.  On the old firmware.  I'm just waiting to see what happens when it updates.. I'll keep you posted.