CWMP disabled. Really?

[xes]

Even if cwmp is disabled on gui, service cwmp is running and listening and port 7170 that looking at the firewall is in fact open.

Chain zone_wan_input (1 references) pkts bytes target prot opt in out source destination
4372 223K MMPBX all -- 0.0.0.0/0 0.0.0.0/0
4214 215K input_wan_rule all -- 0.0.0.0/0 0.0.0.0/0 / !fw3: user chain for input / 3 180 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7170 / !fw3: ubus:cwmpd[cwmpd] rule 1 /

[kevdagoat]

Could you please give us some more info!

It really helps

Sent from my iPhone

On 12 Mar 2019, at 12:22 am, xes notifications@github.com wrote:

NB: Before submitting an issue, check if there is one already open that suits the problem you are having!

Device Model: Gui Version:

Description of problem:

How to reproduce (if possible):

Media/Photos (if possible):

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[xes]

Sorry, you are right... DGA 4132 FW 2.0.0 GUI dev 8.13.71

..after a few days of uptime, no idea if triggered by any dsl resync/disconnect, cwmp card still shows disabled while service is running and port 7170 is reachable from outside.

Maybe it could be useful add into cards about CWMP and Remote assistance the realtime status of related firewall ports. This would produce an immediate feedback if anything goes wrong showing when service is (should) be disabled while ports are still opened on iptables.

[putipower]

95.239.xxx.xx is responding on port 7170 ().

[putipower]

@Ansuel @FrancYescO cosa ne pensate?si può fare in modo di chiudere questa porta e magari aggiungere un controllo come diceva @xes ? grazie

[Ghost9090]

@FrancYescO @Ansuel anche perché l'accesso remoto con app mytim non funziona anche se c'è l'indirizzo del cwmp giusto. Continua a dare sempre modem spento

[Ghost9090]

[kevdagoat]

Could you please post a debug dump :)

Cards >> System Extras >> Debug Report

[Ghost9090]

Me? @kevdagoat

[kevdagoat]

Sorry wrong issue :D

On 14 Mar 2019, at 8:57 pm, Ghost9090 notifications@github.com wrote:

Me? @kevdagoat

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[xes]

Sincerely, which feedback is still needed?

Any ppp reconnect triggers a cwmpd reload/restart:

Sun Mar 24 00:08:55 2019 user.notice pppoe-relay-hotplug: Interface wan ifup Sun Mar 24 00:08:55 2019 user.notice cwmpd: Reloading cwmpd

At the moment i fixed it adding into /etc/init.d/cwmpd a good "exit 0" after start_service() and reload_service().

[diekmanu]

Or just remove the e(x)ecute rights for cwmpd in /etc.init.d

[Ansuel]

modifiy the init.d or remove the exe is not a solution... is just a workaround for a specific problem.

[diekmanu]

Yep, but no one wants this port open to the outside world. At least not when this is not a requirement by your ISP.

There were a lot of security concerns regarding TR-069 / CWMP in the past. Don't know if this has been addressed/fixed. So this is something you guys need to figure out. It seems to be related to wansensing like @FrancYescO mentioned. But I have no time to dig any further at the moment.

[FrancYescO]

just continue here https://github.com/Ansuel/tch-nginx-gui/issues/532