Using lulu on osx in home business setup. Any reason for external router base firewall?

I have Lulu setup under osx on my Mac. So say an errant program, curl, if it tries to access outside address is stopped.

Would an external router based firewall bring any extra level of protection? I surmise that it will not be fine-grained enough to stop a particular process.

I believe that outgoing request are more risky than incoming request as I do not have any programming listening for request. e.g. No web server enabled.

What use would external router based firewall bring?

How can a vulnerable router be exploited?

Sometimes I come across articles that write about vulnerable IoT-devices and that there are a lot of routers that are not sufficiently protected.

I own a router myself which has SSH access and I was wondering what possible attack vectors exist because I can’t think of many except forwarding ports by looking up the ARP table and even then you need to know what kind of device is at the other end.

I also don’t understand how malware could for example take over my router and add it to a botnet when it is not possible to execute shell commands, usually you can only execute commands within a (I presume) secured environment and that is limited to a few commands. So they should not be able to upload a binary and execute it.

Router Security Warning in Logs

I’m getting regular attacks

2020-07-29 14:44:42 Security Warning ‭Intrusion -> SRC=80.227.225.108 DST=156.218.255.222 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=63607 PROTO=TCP SPT=52363 DPT=1433 WIN‭ 

it’s every 10 mins as I can see

I changed wifi password and made it hidden AP and the attacks still coming.

I even disconnected all devices and the logs keep getting this attack

Should I be worried?

2020-07-29 14:54:05 Security Warning ‭Intrusion -> SRC=45.129.33.22 DST=156.218.255.222 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=40337 PROTO=TCP SPT=42068 DPT=3378 WINDO‭ 

What’s exactly my router querying on these addresses?

I’m trying to understand how my router works so I’m analyzing a couple of outputs (I logged in through SSH). I get these lines when trying netstat -a -e, and I’m not sure where do these addresses come from, or what they are exactly doing.

The xxx.xxx.xxx.xxx is the IP address that my router gets from the ISP router (WAN).

tcp  0 0 xxx.xxx.xxx.xxx:50689 a104-75-170-17.deploy.static.akamaitechnologies.com:www ESTABLISHED  tcp  0 0 xxx.xxx.xxx.xxx:50695 a104-75-170-17.deploy.static.akamaitechnologies.com:www ESTABLISHED  tcp  0 0 xxx.xxx.xxx.xxx:35877 a104-75-170-56.deploy.static.akamaitechnologies.com:www ESTABLISHED  tcp  0 0 xxx.xxx.xxx.xxx:35883 a104-75-170-56.deploy.static.akamaitechnologies.com:www ESTABLISHED  tcp  0 0 xxx.xxx.xxx.xxx:35876 a104-75-170-56.deploy.static.akamaitechnologies.com:www ESTABLISHED  tcp  0 0 xxx.xxx.xxx.xxx:50688 a104-75-170-17.deploy.static.akamaitechnologies.com:www ESTABLISHED    tcp  0 0 xxx.xxx.xxx.xxx:50696 a104-75-170-17.deploy.static.akamaitechnologies.com:www ESTABLISHED  tcp  0 0 xxx.xxx.xxx.xxx:50697 a104-75-170-17.deploy.static.akamaitechnologies.com:www ESTABLISHED  

Why Man In The Middle (MITM) is not working with my Huawei router?

Man-in-the-Middle is not working with my router (Huawei) on my Windows machine/any device.

But it works with another router on my same Windows machine/any device.

When I doing MITM with Huawei router:

Linux MAC: a0:af:bd:c5:21:87   Router's MAC: 7c-11-cb-1f-ad-85 

My Windows ARP table before doing MITM on it:

c:\Users\acer>arp -a  Interface: 192.168.1.113 --- 0x4  Internet Address        Physical Address      Type  192.168.1.1             7c-11-cb-1f-ad-85     dynamic  192.168.1.255           ff-ff-ff-ff-ff-ff     static  224.0.0.022             01-00-5e-00-00-16     static 

arpspoof script to do MITM:

1st terminal:

arpspoof -i wlan0 -t 192.168.1.113 192.168.1.1 

2nd terminal:

arpspoof -i wlan0 -t 192.168.1.1 192.168.1.113 

Then the Widows machine ARP table is:

c:\Users\acer>arp -a  Interface: 192.168.1.113 --- 0x4  Internet Address        Physical Address      Type  192.168.1.1             7c-11-cb-1f-ad-85     dynamic  192.168.1.112           a0:af:bd:c5:21:87     dynamic  192.168.1.255           ff-ff-ff-ff-ff-ff     static  224.0.0.022             01-00-5e-00-00-16     static 

I tried with bettercap, ettercap, my own python script and I done ‘echo 1 > /proc/sys/net/ipv4/ip_forward’ in Linux. It is still not working! Not capturing anything.

The expected ARP table on Windows:

Interface: 192.168.1.113 --- 0x4  Internet Address        Physical Address      Type  192.168.1.1             a0:af:bd:c5:21:87     dynamic  192.168.1.255           ff-ff-ff-ff-ff-ff     static  224.0.0.022             01-00-5e-00-00-16     static 

Redirect Ip Address (not dns) with Router [closed]

I have an IOT System that works the following way: The IOT bridge makes a TCP Handshake with a server in china with a static ip address 47.255… (bridge sends syn the china server sends syn ack and then bridge ack)

Then the bridge sends MQTT Connect Command to the chinese server (This includes a client id, user name, and a password) The server just sends an accept back.

After that I can use a smartphone app to control the bridge: The smartphone sends a MQTT packet to the china server and the server sends the exact same packet to the bridge (Only the source/destination ips and mac addresses get changed from server to bridge)

I want to remove the chinese server completely from this equation and want to simulate it with my own pc.

So my pc should get every packet that gets send to the chinese ip. The bridge is in wifi so I have to change this in the router.

Are there easy ways to redirect ip addresses with your router? Or is it possible to directly modify the packets with the router and change the ip address of the packet.

The Bridge doesn’t use dns to find the chinese ip address so I can’t use a pihole or similar dns spoofing tools.

And if this works I guess my pc has to spoof it’s source ip address in the packages to the chinese server or the tcp protocol won’t accept the connection with different destinations–>sources.

External IP address in router UPnP settings Whatsapp – UK Ministry of Defence IP Address?

I was fiddling with my router’s UPnP settings and found this

enter image description here

Why is an external IP address showing here?

I also did a reverse IP search and to my surprise the IP 25.54.27.39 showed "UK Ministry of Defence". I am not in the UK military or on a military base.

Something fishy going on? I have already disabled Upnp.

Sudden large amounts of ports and services on my router [closed]

I’ve conducted a scan of my network and I’ve noticed a worrying amount of ports and services now running on my router.

I have a Virgin Media Superhub2. Below are the ports and services that are open. I cannot find information on the internet.

enter image description here

Can anyone shed some light as to what has possessed my router? Some of the services are things I’ve never seen before!