# The word on Verizon FiOS and Linux



## lotuseclat79 (Sep 12, 2003)

I had Verizon FiOS installed on the day before Thanksgiving this week, and since my WinXP Pro SP2 system has been in cold storage for over two years, I asked for them to use the field laptop to do the installation. It took a little over 3 hours and was an easy install.

Initially, I tried without success to use my Ubuntu 8.04 Hardy Heron setup in a Live CD environment - I think it was my restrictive iptables firewall that hindered it and I have read at the ubuntu forums that they block port 80.

Then I tried Intrepid Ibex, Ubuntu 8.10 without the firewall and it worked right out of the box.

The Verizon router incorporates a hardware firewall, and I think it runs Linux if I am not mistaken.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

I've been a busy beaver setting up my environment w/FiOS. First thing was to transform my ppp0 oriented iptables firewall for eth0 operation. Next is upgrading packages for security and other requirements of mine. One thing that is not available as yet in the Ubuntu 8.10 repositories is zenmap, the graphical frontend for nmap, so, I downloaded the software .bz2 compressed file and compiled and installed (as root) the entire set {nmap, zenmap} after finding out I needed to install a g++ symbolic link to g++-4.3 in /usr/bin (you'd think the install would take care of that little, but very importantanto item), eh? Yeah, well, that's what life is like in the Linux lane!

Here is some more information on the Verizon FiOS router: ActionTec MI-424-WR Rev D. It runs a BusyBox distribution of the Linux (embedded) operating system. The antenna is removable and uses a reverse polarity SMA connector.

Actiontec MI424WR Review: Able partner for Verizon FiOS (5 web pages)
1) Introduction
2) Features - Wireless, My Network
3) Features - Network, Firewall
4) Features - Parental Controls, Advanced
5) Performance

I have done some port testing at grc.com ( https://grc.com/x/ne.dll?bh0bkyd2 ) and at http://www.hackerwatch.org/probe/ In both cases all ports should be either blocked | stealthed.

-- Tom


----------



## vtel57 (Jul 12, 2004)

Very interesting. You're trail blazing for many folks, Tom. I'll be hooking up with FIOS sometime this year, most likely. I run Slackware. I don't think I'll have any issues, but it's nice to see you plowing along ahead of me. Thanks. 

~Eric


----------



## lotuseclat79 (Sep 12, 2003)

Yesterday, my nmap test of the ip address (which is acutally the router's ipaddress) showed that it responds to an icmp echo request - which should be turned off. As soon as I get over to the verizon web site to start activation of my account, I'm going to figure out if that is possible from the information in my previous message regarding the review of the router's software.

-- Tom


----------



## R-C (Dec 5, 2008)

I have had the pleasure of having Verizon Fios since 2005 I was one of the original test houses out here in my area of Texas. LOVE IT! 
I run Mepis7 as my daily use Linux distro and it picked up the fios immediately never had to do a thing to it, plugged in the Ethernet cable to the supplied d-link router, booted up and was good to go.
Have a few other pc's hooked up to the d-link also all running windows. Have not had a single down time in the fios since the install except for when the power goes out.


----------



## lotuseclat79 (Sep 12, 2003)

One of the items in a small package of documents that Verizon issues to users of FiOS at installation is a CD with the User Manual of the Router. Very Good Information, and I see where I can unclick a box to stealth the ICMP pings from being responded - although I don't know if Verizon would like that. There is also information on installing new router firmware, and when I visited the BuzyBox (the Linux distro used by the router) website, it indicated that there are frequent upgrades to be had since I had FiOS installed just Wednesday last week.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

While running zenmap (the frontend of nmap), during the intensive scan of my router's IP address (i.e. my computer only has an internal IP address, and my Firefox add-on Show MyIP actually displays the router's external IP address on the Internet) - there were a number of ports that were not stealthed (closed | blocked). Good thing I run the iptables firewall from my computer to drop everything not requested!

Also, ran into a security report that details vulnerabilities of the router at dslreports: Verizon Online FiOS FAQ: 3.1 ActionTec. Download and read the PDF at Security Vulnerabilities in SOHO Routers.

-- Tom


----------



## rubanek (Jan 5, 2009)

I found this post doing a google search for "fios linux router". I'm an avid linux user and have been a comcast user for 5 years. I'm leaving Comcast due to their download constraints of 150 gigs/month. The nice thing about Comcast is I can use my linux (debian) server as my gateway to the internet. It's duel honed running iptables. The NIC connected to the internet (connected to Comcast's cable modem) is eth0 and the internal NIC is eth1. Eth0 uses DHCP to request an IP address from Comcast, while I also run a DHCP server for the internal LAN on eth1. I'm fearful that I'm going to have difficulty circumventing Verizon's router.

Lotuseclat79, I'd love to chat with you regarding your findings w/ fios.

-rubanek


----------



## lotuseclat79 (Sep 12, 2003)

Hi rubanek,

Welcome to TSG!

I have talked to former colleagues about powering down the router and the tcp/udp ports that are not stealthed. These folks are os/networking gurus from way back, however, they (one being on comcast as I recall) seemed to be of the opinion that the ip address would be static (based on their routers/other providers).

On the contrary, I have been able to power down my computer and then the router and then in turn each power strip supporting them, and upon reversing power up sequence (the computer seems to prefer detecting the connection), the dhcp nature of the router is that a new ip address is assigned - as I suspected it should.

The FiOS installation comes with a pack of documents, one of which is a CD of the router's documentation (pdf file) which is very illuminating. By default, after FiOS is installed, you need to follow the document's direction to login to the router as admin and modify the default settings. One curious one that I fail to understand is that you have to check off the block that avoids the vulnerability of partial packets - I just do not understand what vendors think their investment in customers is when they don't do the utmost at protecting the customer's security in every way possible.

When you convert to FiOS, there are instructions on changing routers in the router document. The documentation is very good, and I don't think your problems will be in circumventing the FiOS router, but more so in working it into your layout of computers, and the documentation covers that topic nicely. Also, the tech support is very good.

Shortly, I will begin experimenting with more changes to the router, and post what I find here.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

I have now logged into the router and called tech support at Verizon (1-888-553-1555) because I got confused by the multiple dots upon keying in the password that was installed by the laptop installation (usb flash drive) and changed by the Verizon employee installer who did the work.

Since I do not have a wireless LAN at home, i.e. my router is connected to my computer with the yellow cable, I did not need the wireless, and turned it off in the router.

Since I am looking into vpn services for more privacy, vpn over IPSec and some UDP-based services use fragmented packets legitimately, and due to that I have deferred checking the box that drops fragmented packets (a vulnerability for disrupting LANs - which for now I can ignore).

Edit: I think I will after all check the box to drop fragmented packets until I get the vpn service. End Edit.

Another way to increase security is to require MAC authentication, but I have to read more about it before making any changes.

For advanced firewall settings, Verizon tech support apparently works closely with the router manufacturer, ActionTec, and can transfer a tech support call to them for help.

Since I do not use FiOS video services, I do not even have to use the Verizon router, and there is a procedure in the document to swap the ActionTec router out.

Since everything not requested is dropped, and so far the open ports have not been a problem, I will for now defer on attempting to stealth those ports until I make more assessments on that.

-- Tom


----------



## tomdkat (May 6, 2006)

Thanks for the updates.  Which ports are open that concern you?

EDIT: Also, how is your Internet access performance with FiOS?

Peace...


----------



## lotuseclat79 (Sep 12, 2003)

By logging into the router from my computer, and checking out the Advanced features regarding both Remote Administration and Local Administration (relative to LAN only), I have determined that all of the ports I was concerned about were not checked to have incoming access turned on - so, apparently not a problem. A rerun of ShieldsUp!! confirmed all service ports 0-1055 were stealthed.

The only question I have is why they are not stealthed re: an nmap test, which I will need to take up with both Verizon and ActionTec support, and/or posting at insecure.org. I will report relevant information as I learn it.

The other item of concern is easily unchecked in the Remote Administration/Diagnotic Tools box, and checked back on for any required Remote Administration such as a firmware update of which there is none yet for my router.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

After lots of searching, here is how to turn off any open ports in the FiOS router:
Is there a Port open to the world on the actiontec router? which is conveniently located in a FiOS FAQ. There is one port that enables gamers, webcams, IM & others by opening a tunnel between remote (Internet) computers and a specific device port inside your local area network (LAN), however, it looks like Verizon uses this port (4567) for managing the router's software? The port is widely associated as a trojan port (tram, filenail), and so was poorly chosen by Verizon for whatever purpose - I recommend closing it using the guide above.

Another thing is that uPnP should also probably be disabled in the router unless you are a gamer (accessible from the Advanced icon from the Main Menu in the router after login).

And one last thing is that you should change the DNS settings to use OpenDNS. Although on my Linux, the /etc/resolv.conf file indicates the router is the DNS server, it appears to be a DNS relay to Verizon's DNS servers.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

Ok, if you run zenmap/nmap from inside your network connection, all of the ports of concern will show up as open, however, if you run zenmap/nmap from outside the WAN (i.e. your router, from the Internet, e.g. from http://nmap-online.com), only port 4567 showed up for me, and the ports that I suspected were stealthed, indeed were, which agreed with the grc.com scans. Issue solved, so, now all I have to deal with is port 4567.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

Note: There are two DNS server settings that should be changed (I'm not talking about the primary and secondary DNS server settings). Since I run off of a WAN Coax, although I had changed the DNS server settings in the router for my Home Network (of one computer connected to the router so far), I had thought that was it until I saw a web page pop up that indicated that there was a Verizon DNS server in play when the web page I found via a search was no longer active. I had not yet at that time changed the WAN Coax DNS server settings to OpenDNS.

Now, I am sure I have it right and all is well, whereas it wasn't quite there yet before the last change.

-- Tom


----------



## tomdkat (May 6, 2006)

lotuseclat79 said:


> I had thought that was it until I saw a web page pop up that indicated that there was a Verizon DNS server in play when the web page I found via a search was no longer active. I had not yet at that time changed the WAN Coax DNS server settings to OpenDNS.


Really? What did the pop up say? Can you post a screenshot? I can see a proxy server being involved but not another DNS. Strange.

Peace...


----------



## lotuseclat79 (Sep 12, 2003)

Hi Tom,

Not so strange when you login the router as admin and look at the DNS settings. There are two cited - I just happened to not have looked over to the right of the table where there was the WAN Coax DNS settings pointing to the Verizon DNS servers. I only initially changed the Home Network (I only have one computer hooked up to the router), however, I have a WAN Coax hookup, not a WAN Ethernet hookup.

The pop-up was a web page - i.e. the kind you get when the ip address cannot be resolved from the name, e.g. when a web page has vanished.

-- Tom


----------

