Zero-Day Bugs In Numerous Modems/Routers Could Compromise Millions of Users

An anonymous reader writes: Researchers have discovered a large number of zero-day flaws in 8 routers/modems from 4 manufacturers (ZTE, Huawei, Gemtek, Quanta) that would allow attackers to build a huge botnet by leveraging just a few exploits. Vulnerabilities include remote code execution, firmware rewrites, XSS, and CSRF. All these allow attackers to intercept both HTTP and HTTPS Web traffic, infect computers beyond the modem, intercept SMS messages, and detect the modem's geographical location. After six months, manufacturers have failed to fix the issues.

Openwrt

[JonathanP.Bennett]

This is why the ability to install secure and Open Source firmware like OpenWrt is so important.
https://openwrt.org/

Re:Openwrt

[sexconker]

The Chinese will just move the backdoors deeper into the hardware.
We're long passed the point of no return on this one.

Re:Openwrt

[vux984]

I'm still on barrier breaker; my router isn't supported by chaos calmer (yet)?

If there's a flaw in the older version... I'm pretty much in the same boat as any one with default firmware would be.

Re:Openwrt

[sexconker]

Past.
(I had "We passed the point of no return on this one a long time ago." and just moved shit around. Oopsie doopsie poopsie.)

Re:Openwrt

[The_Dougster]

OpenWRT is really good. I won't buy a router now unless its on the OpenWRT supported hardware list.

Re:Openwrt

My current router is using OpenWRT, but even though they provide a list of supported hardware, it's not clear if that hardware is good of if the wireless features are modern. Also, some routers have better support than others (less bugs). What's the overall "best" router that supports OpenWRT.

Re:Openwrt

Buy a new router. Routers which are supported by the latest OpenWRT release can be bought for less than $20. You don't need a fancy gigabit router on the edge of your home network. I would tell you what to get and where and how much it actually costs, but Google won't let me search US shops, because apparently a search engine should under no circumstances let me search anything outside my area. Fuck this, the internet is dead. Why have a router when the internet is like this. What we need are VPN gateways to some sane place. But if you want a cheap router that works fine with the latest OpenWRT (support for multiple SSIDs, client and AP at the same time, VLAN tagging on the ethernet switch, etc.), search for "tp-link tl-wr841n".

Re:Openwrt

[gstoddart]

So, here's the problem with that:

All of these modems are distributed by various telcos to their customers.

As well as:

It also appears that some of the modem's firmware was also modified by the telecommunications companies that distributed the modems to their customers.

So, the real problem is these modems belong to the telco, you probably can't change the firmware, and the bugs in some cases seem to have been introduced by the telcos.

No amount of open source ANYTHING is going to fix telcos who are providing customers with modified versions of the routers which they've done a poor job of changing.

EVEN if the original companies release fixes, the telcos are likely too lazy/cheap/indifferent to fix the damned things, and users can't exactly swap out the modems.

Shit like this is why companies need to bear some legal responsibility, and why telcos should be barred from modifying equipment for their own purposes -- their desire to brand it or add their own special functionality as often as not leaves users with abandoned devices which can't be fixed.

Any sufficiently advanced incompetence is indistinguishable from malice. And this is some pretty advanced incompetence.

Re:Openwrt

EVEN if the original companies release fixes, the telcos are likely too lazy/cheap/indifferent to fix the damned things, and users can't exactly swap out the modems.

Why not? Are you required to use the ISP's modem and router, or is it just convenient to do so? In my case I have a router that was provided; it is still in the box and I am using my own that I control and trust (at least trust more than the one provided.) If I was required to use the ISP's hardware, I would put my own trusted equipment between my network and the ISP's. Actually if I was required, I would probably choose a different ISP, but luckily I do have that option.

Re: Openwrt

That thing can only handle 30Mbps WAN-speed or less, basically worthless rubbish these days!

Re:Openwrt

[gstoddart]

"EVEN if the original companies release fixes, the telcos are likely too lazy/cheap/indifferent to fix the damned things, and users can't exactly swap out the modems."

Why not? Are you required to use the ISP's modem and router, or is it just convenient to do so?

I strongly suspect in a lot of cases it is a requirement. ISPs tend to just sort of tell you what they're doing and don't much care what you think of it.

If I was required to use the ISP's hardware, I would put my own trusted equipment between my network and the ISP's.

I have a router/firewall between me and the ISPs modem, but I'm not certain that the class of problems these holes create can all be mitigated by treating the modem as not trusted. Because ultimately it still carries your traffic.

Actually if I was required, I would probably choose a different ISP, but luckily I do have that option.

It's great if you have the choice, and it's meaningless if you don't.

Re:Openwrt

[davecb]

There was an ACM article about hardware backdoors: turns out they show up as rarely-acessable code when you do a (normal) check to get rid of redundant or under-used circuts.

Re:Openwrt

The Chinese? Well, I assume they are trying to catch up to NSA and Cisco.

Re: Openwrt

It can route 100Mbps (line speed of its network ports) with firewall and masquerading enabled. That is all you need in an edge router on the vast majority of home internet connections. Consider the 802.11b/g/n 2.4GHz Wifi a bonus.

Re:Openwrt

[bobbied]

As in all of life, it depends. It depends on what you want your router to actually do...

Personally, I use OpenWRT on a couple of WNDR4300's that I picked up off of E-Bay over time, but I went with this router because it was CHEAP and had a VLAN capable switch. Even though I use this device, I'd not suggest it to others because currently the OpenWRT build for it is something you have to do on your own, not that it's hard, it's just time consuming.

But more to your question.. How do you know what hardware is best supported in OpenWRT? I suggest the following: First, check the supported hard ware list and make sure your exact hardware is there and shows that it's supported. Then make sure there are understandable installation instructions and that there is a build provided for your device. Finally, take a look at the device's forums and poke around to find out what kinds of problems other people are having with the hardware. In short, investigate the issues, use your favorite search engine, go look it up.

Re:Openwrt

[bobbied]

Personally, I DON'T run the Telco provided router and I suggest you not use it either. In fact, my ISP sent me a new router just last week and I don't plan to even unwrap it. Go buy your own, load your choice of open source firmware on it and leave the ISP's router in the box.

If you are REQUIRED to run the ISP's router, put your own router *behind* it and hide your whole network from your ISP either by using NAT or have a very strict firewall rule set (or both). (I.E create a DMZ and put your network behind it).

Re:Openwrt

I'm glad you think that I don't need "a fancy gigabit router" for my home network. Of course you are wrong. Files on my home NAS and my home backup solution are accessed much more quickly with a fast, modern router. Seeing as how most home routers these days serve as the router and the WiFi access point - not having a newer one that does 802.11 AC means you are going to reduce the speed between on premise devices for no reason. I do need a fancy high speed router.

Re:Openwrt

I'm fine with my frequently updated closed source Mikrotik you insensitive clod. The cheapest home routers run for $20 and still have nice features, so I don't have to run a full fledged pfSense box all the time.

Re:Openwrt

You don't need a gigabit router on the edge of your network. Keep your fast proprietary access point on the inside, and firewall inbound connections from the internet on the edge router. The problem with the latest and greatest routers is that they are often not entirely supported by OpenWRT yet. Getting a new gigabit router with 802.11AC up and running with OpenWRT typically requires troubleshooting skills, custom compiled firmware images and a willingness to open it up and solder wires to unpopulated serial port test points in order to debrick the router if something goes wrong. The router I recommended is a well-known device which is widely used by open wireless network initiatives like "Freifunk", because it works, it's cheap and it's good enough.

Re: Openwrt

It can route 100Mbps (line speed of its network ports) with firewall and masquerading enabled.

Citation needed.

Also, what's the actual backplane capacity on that thing? I mean, if it can "route" at 100meg on the uplink that's fine for my internet connection (which is currently 60meg upto), but that's the minimum I'd expect it should do. What happens when I'm also running 400meg of traffic across a combination of the switchports? How about the wifi? More to the point, why should I decrease my LAN capability from 1gig to 100meg? I'd kind of like to be able to transfer files to/from my NAS without putting my entire network into the dirt, and I'm not sure why you think I wouldn't notice that my backup cycles are taking ten times longer to complete.

Re:Openwrt

I studied the curated, maintained, accurate documentation for building and deploying OpenWrt. Or I would have if I could have found it. OpenWrt really needs way better docs.

Re: Openwrt

Dude, you know that you can have a router and a separate gigabit switch, don't you? For example the gigabit switch in that fancy router that you're trying to get out of the line of fire by putting it behind a cheap open source router.

Re:Openwrt

[vux984]

You don't need a fancy gigabit router on the edge of your home network.

My internet is currently 120/6; so 100mbps isn't sufficient. I also want my openwrt box to have plenty of ram, cpu, and space, so that I can play with openwrt without worrying too much about running into the limits of the hardware. I have a Dlink dir-835 right now.

I'm open to replacing it with something that will likely be supported by new versions of openwrt sooner than later.

  I -like- having wifi AP all built into one box, but separating them into two separate boxes would make openwrt easier than I'm game to consider it.

Price is always a factor but "less than $20" is needlessly frugal. I will pay more for "better".

I would tell you what to get and where and how much it actually costs, but Google won't let me search US shops,

I'm in Canada; so that would have been moot. But model information is appreciated.

Re:Openwrt

[WD]

OpenWRT runs on 3G/4G modems?

Re:Openwrt

[wvmarle]

For hackers, maybe.

For the vast majority of the population (myself included) a router is a fire-and-forget thing. It's set up, it works, that's it. I never log in to my router to see if there's a firmware update (even while I faintly remember there is such an option, most people won't realise this at all). I don't get notified that there is a new update, so will have to remember and manually check for it. That just doesn't happen, and I like to play with those devices. Most people are less interested and really won't check ever for updates.

So if my router is vulnerable, it'll stay so for very long. The same so for many other routers. They probably stay vulnerable until they break down and are replaced (10 years for my previous wifi router, which actually still works - never had a software update, don't know if it's even possible). Routers have to be perfect the moment they leave the factory, that's the only way to keep them safe.

Re:Openwrt

[JonathanP.Bennett]

I'm still on barrier breaker; my router isn't supported by chaos calmer (yet)?

If there's a flaw in the older version... I'm pretty much in the same boat as any one with default firmware would be.

What hardware do you have that isn't supported?

Re:Openwrt

If you think OpenWRT's documentation is bad, try reading DD-WRT's documentation.

Re:Openwrt

[houstonbofh]

Why not? Are you required to use the ISP's modem and router...?

With Uverse, yes.
With Comcast for static IP addresses, yes. (But you can put your real router behind theirs and turn off NAT.)
A lot of ISPs consider their "customers" personal property.

Re:Openwrt

There are OpenWRT capable devices that have 3G/4G modems, or can have USB modems plugged in.

Re:Openwrt

[vux984]

What hardware do you have that isn't supported?

Dlink DIR-835
https://wiki.openwrt.org/toh/d...

As I wrote elsewhere in the thread:

My internet is currently 120/6; so 100mbps isn't sufficient. I also want my openwrt box to have plenty of ram, cpu, and space, so that I can play with openwrt without worrying too much about running into the limits of the hardware. I have a Dlink dir-835 right now.

I'm open to replacing it with something that will likely be supported by new versions of openwrt sooner than later.

    I -like- having wifi AP all built into one box, but if separating them into two separate boxes would make openwrt easier than I'm game to consider it.

Researchers used the integrated face system

Researchers used the integrated face system to find bugs.

And the cycle begins anew

[Kichigai+Mentat]

Cue renewed calls for auditable firmware.
Cue those calls continuing to fall on deaf ears.

I mean, let's face it, barring something cataclysmic this just ain't going to happen.

Arguably there are trade secrets contained within the firmware, which could be exploited by competitors. Motorola wouldn't want Xoom to find out that a commonly used algorithm for dealing with DOCSIS comms is in fact less efficient than another one they dug up, nullifying their competitive edge. And likewise D-Link wouldn't want you to find out that there's a critical problem with their router that can't be fixed in firmware. So they're going to fight this.

Auditable firmware would also expose management controls used by telecoms and ISPs. This would expose their capabilities, and how they work. People wouldn't just know how far reaching these controls are, but also how limited they are. It could raise the specter or nefarious people reverse engineering access to those controls, and doing things they aren't supposed to do. So they're going to fight it too.

Then there are legislative bodies. Auditable firmware could not only expose any backdoors that are currently in use, but expose any they try to implement in the future. So they're going to do what politicians do best and try to sweep the whole thing under the rug.

This leaves us, thankfully, with at least one ally: The FCC, who have said they will not be blocking the use of third party firmware on wireless devices, so at least we can still retreat to open sourced firmware wherever possible, instead of relying on others to open up code for us.

Re:And the cycle begins anew

[PRMan]

The FCC needs to be given authority to fine tech companies for security problems. $1 per model shipped for the first offense and doubled for each additional offense within a given time period.

Re:And the cycle begins anew

[sexconker]

likewise D-Link wouldn't want you to find out that there's a critical problem with their router that can't be fixed in firmware. So they're going to fight this.

Is D-Link going to fight against customers who open the box and try to use the thing? Because that's how I found out that my D-Link routers had critical problems that couldn't be fixed in firmware (not that D-Link would bother doing so if they could).

Re:And the cycle begins anew

Auditable firmware would also expose management controls used by telecoms and ISPs. This would expose their capabilities, and how they work. People wouldn't just know how far reaching these controls are, but also how limited they are. It could raise the specter or nefarious people reverse engineering access to those controls, and doing things they aren't supposed to do. So they're going to fight it too.

This is complete bollocks. There aren't any 'management controls' to speak of on the modem firmware. The closest you get to that is the binfile which gets loaded from the ISP which is pretty basic... it defines a few things like the provisioned speed package, the upstream/downstreams flows, and a few other technical details. Any actual Management Controls which an ISP has in place will be at the CMTS or farther upstream in their network.
But the modem is really not the issue. They get assigned a Private IP for network management, so unless someone penetrates the ISP's management network you can't even access the modem remotely. The bigger issue is when they add a router/wifi access point, which then does get a public IP and if not configured properly can have some security issues. The easiest solution to this, is to have your ISP put it into 'bridge' mode, which basically disables everything but the modem, then use your own router/wifi device behind it.

Re:And the cycle begins anew

[Kichigai+Mentat]

What grade of problem is high enough to warrant a fee? It responds to pings and can be DDoS'd? It's SMB client has a vulnerability that lets anyone on the LAN access an attached drive? What about people who don't update their firmware? What about older devices that are no longer supported?

The problem is that almost everything is going to have some sort of a security problem at some point, so where is the line drawn?

Re:And the cycle begins anew

[Kichigai+Mentat]

D-Link already got your money. Unless they're charging for firmware updates, and unless you're going to sue them, they've already won.

Re:And the cycle begins anew

[Kichigai+Mentat]

There aren't any 'management controls' to speak of on the modem firmware.

Pretty sure Comcast has a remote management interface so they can turn on and off that Xfinity Wifi access point. Or so you can customize your Wifi access point via an app on your phone.

Your telecom/ISP may not have full access to any hardware you own, but there's still hardware you rent, and publishing the source of the firmware for that is something I doubt they would want.

Re:And the cycle begins anew

[sexconker]

It's a Pyhrric victory, because I'm not buying their fucking shit anymore, and neither is anyone in my sphere of influence (work, friends, family, neighbors, etc.).
They don't exactly have a stranglehold on the market, yet they behave like there are no alternatives. The only more egregious example of "Nah, fuck you, customer." I've seen was with OCZ. We all know how that turned out.

Welp

It will open the twenty people using one of those brands to attack. Who are those manufacturers?

Re:Welp

[campuscodi]

These are low-end routers distributed "for free" to new telco customers. Since the modems are free, people eat them up. Telcos usually buy them in boats, not crates. I worked for an ISP where the engineers were sad because the company just bought an entire boat of Huawei routers they had to configure.

Re:Welp

[citylivin]

Who are those manufacturers?

Huawei makes a cellular wireless router modem that i was just supporting for a customer last week. Cost like $400 bucks, takes a sim card and i was getting like 80mbps over LTE network. This is for a contractor who works in the field out of their truck. So they are out there, even if they arent as common in the consumer arena as netgear or linksys.

Re:Welp

[Dr_Barnowl]

Huawei supply a lot of ISPs with routers in the UK ; TalkTalk, amongst others.

Fuck technology

[AndyKron]

Fuck technology

Re:Fuck technology

[gstoddart]

LOL .. in Soviet Russia, technology fucks you!!

And everywhere else in the world.

Re:Fuck technology

[Kichigai+Mentat]

So Soviet Earth?

Re:Openwrt Has A Show Stopper Design Flaw

[U2xhc2hkb3QgU3Vja3M]

No freakin' way. They should switch to systemd instead.

All hail the wall wart

[MyFirstNameIsPaul]

More and more I tend to think the number one protector of consumer and small business gateways is the wall wart, which predictably fails every 2-5 years, giving the appearance of a new device being needed, thus another temporary improvement in security. I suspect that one day, a clever malware maker will figure out how to grab voltage and current in the device and inform the users a new power supply is required.

Personally, I run pfSense on an Atom board with numerous NICs.

All Chinese?

[PRMan]

I was going to point out that they are all Chinese companies (and imply something insidious) but 2 of them are Taiwanese and there's no way that they would help the Chinese government.

Cisco for home

As an IT professional this is why I always stress using Cisco equipment for home networking equipment. A good example is the Cisco RV325 router, or the Cisco RV180W for wireless that are both strong in design, and reasonably priced for home use.

Re:Cisco for home

[godel_56]

As an IT professional this is why I always stress using Cisco equipment for home networking equipment. A good example is the Cisco RV325 router, or the Cisco RV180W for wireless that are both strong in design, and reasonably priced for home use.

But apparently you can't use punctuation in the router's password.

Re:Cisco for home

Of course they don't allow punctuation, do you know how much damage someone could do if they tried to enter "; DROP TABLE users" in the password field?!

Re: Cisco for home

None? This is a home router, not a database you fucking unfunny imbecile.

Re:Openwrt Has A Show Stopper Design Flaw

[macs4all]

Openwrt uses netfilter instead of pf.

That's a show stopper.

So the Router firmware that everyone here coos about actually uses a sucky firewall?

Netfilter != pf.

Typical F/OSS Fail.

We need more people focused on libreCMC

We need more people focused on libreCMC. I like OpenWRT, but OpenWRT doesn't strive to ensure that we have a complete set of sources for the devices it supports. There are proprietary components needed for *nearly all* routers and definitely for all cable and ADSL modems. ThinkPenguin's funding libreCMC's development and was part of the Save Wifi campaign. However unless more people take an interest in buying freedom respecting hardware things are not going to get better. Too many companies are advertising "open source" and then shipping proprietary garbage often in violation of the licenses of which software they're building off. Then you have efforts like the Turris Omnia router which in theory looks pretty good and was massively successful at raising funds- but it's not really. There are problems with it and it's another "open source" router that's almost certainly dependant on proprietary pieces.

Re:Openwrt Has A Show Stopper Design Flaw

Screw that, give me the HURD or sod off.

Re:Openwrt Has A Show Stopper Design Flaw

What do you expect, OpenWRT uses the Linux kernel.

Like I said, Openwrt Has A Show Stopper Design Flaw.

Re:This is why protection by hosts = superior

[barbariccow]

oh no.

Re:This is why protection by hosts = superior

totally surprised - did not see that coming

Liability is Coming

[SwashbucklingCowboy]

"After six months, manufacturers have failed to fix the issues."

That kind of crap will eventually cause Congress to enact legislation to make manufacturers liable for unpatched vulnerabilities.

Re:Liability is Coming

[ruir]

Are not they passing legislation making politicians liable for corruption? It is so fine and dandy legislating other people work and putting them working for free for the media cartels, but god forbids them from cleaning their own backyard.

finally news 4 nerdz

Finally,
Eventually something good comes of it. bu tthis has to be a freak of nature..
way 2 go DhI

No reference to upgrades

[ruir]

Disclaimer: I worked in the past for a cable operator... What the article does fail to mention is that once there is: 1st) Once there is an update, the ISP provider upgrades all of the modems REMOTELY. 2nd and for more important. Normally the (cable modem) routers are in a protected network with PRIVATE IP addresses. So if you are using a model that does not doubles up as router, you are good. If you do that, the modem usually is crappy and slow anyway, disable the routing function, buy your own router, and put it only doing bridging.

Re:No reference to upgrades

Normally the (cable modem) routers are in a protected network with PRIVATE IP addresses.

Oh you just wait for the next episode of CSI:nobodywatchesanymore "the hack is coming from INSIDE our PRIVATE network."

Re:No reference to upgrades

Note: this is not true everywhere in the world. In holland for example cable modems get an external adress, the netwerk is NOT shared (since 2006 or so i think) ALL of them double as routers and while not top grade the routers are not slow... the firmware could use some improvements though

HTTPS interception

[manu0601]

TFA tells about intercepting HTTPS. How does a modem-router flaw allow that, since HTTPS is an end to end protection?

Re:HTTPS interception

[houstonbofh]

TFA tells about intercepting HTTPS. How does a modem-router flaw allow that, since HTTPS is an end to end protection?

It allows you to capture the encrypted packets. :) Of course, some of that encryption is trivially easy to crack, but not all. Shhh... Your are spoiling the article.

Re:HTTPS interception

HTTPS interception works like this. The router is often assigned an IP address in a block that is considered by some browsers (notably IE) the trusted local network. This means that web sites on that network can do things that normal websites cannot, which is what makes some intranet web apps work, which also explains why so many of them only seem to work in IE. These routers can be made to serve up a script in their administration panel web interface that installs a rogue certificate on the client. This rogue certificate is then used to perform MITM attacks.

As I see it there are two lessons here. 1) Don't use IE, at least not with its default security settings. 2) For most users the local network should be treated as hostile. I consider the second point the most interesting, because it goes against conventional net administration wisdom.

Re:This is why protection by hosts = superior

Can you tell me how to run this Windows software on my ZTE, Huawei, Gemtek, or Quanta router? Thanks in advance.

"RTFA"... apk

See subject: I wouldn't use those - Read the article.

* :)

APK

P.S.=> You @ least get the dignity of a reply from me - the other two (barbarricow & pure ac troll) don't... apk

Re: "RTFA"... apk

Well then stop giving Coren22 "dignity", you fucking douche.

Re:Openwrt Has A Show Stopper Design Flaw

[houstonbofh]

So the Router firmware that everyone here coos about actually uses a sucky firewall?
Netfilter != pf.
Typical F/OSS Fail.

So pick another one like http://www.smallwall.org/ or http://www.pfsense.org/ or whatever. The nice thing about FOSS is choice.

This is why protection by hosts = superior

See subject: How many times are we going to see routers exploited like this to realize my subject's true?

For the BEST custom hosts file??

APK Hosts Engine 9.0++ SR-4 32/64-bit: (new model released today, adding 1,200 more false positives filters, making the total 7,700++, many code optimizations & refactorings, & ALL possible new "gTLDs" incorporated) http://start64.com/index.php?o...

* It's FREE, works better than ANY single browser addons do for more speed, security, reliability, + anonymity AND FOR MASSIVELY LESS resource consumption & complexity (especially vs. locally installed DNS) by using what you already natively have vs. "Bolting on 'MoAr'" (especially redundant ones) - in combination w/ firewalls + patching OS & apps.

---

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

&

It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

+

In its 32-bit model too https://www.virustotal.com/en/...

So is its installer -> http://f.virscan.org/APKHostsF...

---

* "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

APK

P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!

... apk

Re:Openwrt Has A Show Stopper Design Flaw

GNU/HURD FTW!

Re:Openwrt Has A Show Stopper Design Flaw

[macs4all]

So the Router firmware that everyone here coos about actually uses a sucky firewall? Netfilter != pf. Typical F/OSS Fail.

So pick another one like http://www.smallwall.org/ or http://www.pfsense.org/ or whatever. The nice thing about FOSS is choice.

But that's like saying you really only have one choice: Both smallwall and pfsense are simply Derivatives of the now-abandoned (like so many other F/OSS Projects), M0n0wall.

And since smallwall's main focus is "Small and Lean", rather than "Robust and Complete", I would think that using it wouldn't be a step "up" in the world of firewall-dom.

As far as pfsense goes, I can't figure out where it lives, since it is considered a Derivative of m0n0wall, but yet it lists pf as a dependancy. So??? Heck, even iOS runs pf (which I actually found amazing). What is OpenWRT's problem?

Re:Openwrt Has A Show Stopper Design Flaw

[houstonbofh]

M0n0wall was shut down when Manual decided that he wanted a life again. :) SmallWall is a continuation of the M0n0wall code base. pfSense was a fork that went with pf and a plugin architecture to allow expandability, while M0n0wall and SmallWall want to remain more focused.
And while it is small and lean, it have the enterprise firewall features you would expect like VPN support.

Coren22 has no dignity... apk

See subject: Nor skills in programming or networking either - period... he's a "fake-it-till-you-make-it" in computing (He's self-proclaimed himself allegedly an MCSE? Bullshit - nobody w/ that cert would make as many blatant rookie errors as he did vs. myself http://slashdot.org/comments.p... on fundamental topics in computing vs. myself).

* That little shit can post his "signatures" about me all day - they only show he's "butthurt" over getting his ass handed to him by "yours truly" per that link above (which only has a fraction of his fuckups vs. me in it)...

APK

P.S.=> I eat chumps like him for lunch & shit them out by dinner - witness the link above as your proof of my words... apk