IP aliasing

How naive I was to think the default OpenWRT firewall rules would not forward private addresses to the WAN interface...

http://192.168.100.1 and ta-da: the most dumb-looking modem I bought isn't that dumb after all! Of course it has a web interface without any password. Of course it doesn't care what the destination MAC address is. Of course Linux doesn't care about the unexpected MAC address in the reply.

Firewall configuration: never before has so much work and complexity produced so much false sense of security[*]. Instead of simply locking the (network) doors and get some "defense in depth", leave them all open. Instead, sign a very complicated contract with an external, unreliable and SPOF security company.

To be fair that modem's interface seems read-only. Except when it's vulnerable and not.

[*] Wait, I forgot SELinux...

> I suspect it's done like this so they field less calls about why someone's cable modem won't respond when they type in the default address even if their network config is completely different.

Yes of course! Fewer field calls: more profit. Less security: who cares?

Now two somewhat better news:

- While this modem (SB6121) is at least 8 years old, the Firmware Build Time is much more recent: Apr 22 2019 (SB_KOMODO-1.0.7.3-SCM02-NOSH / 1.0.12.18m3). There is some hope.
- I could add the missing firewall rule from OpenWRT's web interface in no time:

/etc/config/firewall diff, tested
+
+config rule
+ option enabled '1'
+ option src 'lan'
+ option name 'reject private'
+ option proto 'all'
+ option target 'REJECT'
+ option dest 'wan'
+ option dest_ip '192.168.0.0/16'
+

I performed a before/after iptables -L sanitycheck and it looked as expected.