If the only client is an Ubuntu desktop is something like IPCop necessary ?

[linuxyogi]

Hi,
I am planning to avail a fiber broadband connection. I dont want to use the ISP provided router coz I have no idea how secure it is & how well they offer timely firmware updates.
At the moment the only client is my desktop running Lubuntu. I watched on Youtube that in order to convert a fiber connection a MODEM is needed which converts fiber to RJ45.
My question is if I connect the RJ45 which comes out of the modem directly to my PC's LAN port will this cause any issues from a security angle ?

In future I am planning to buy an Amazon Fire TV stick. When I do that I will install IPCop on a dedicated PC and use a cheap router in ACCESS POINT mode.

For now the only client is my Lubuntu 20.04 box.

[TheFu]

will this cause any issues from a security angle ?

YES!
Most people don't secure their desktops anywhere near enough to place them on the unfiltered internet. Even the ISPs busted router would be better than doing that. For people in these forums with lots of experience, but little desire to run a router distro, the easy, relatively cheap, answer, is to get a Microtik or Ubiquiti router to perform the WAN firewall/routing work. Both those vendors have a long history (10+ yrs) of providing patches for their equipment. If you want to blow more cash, Asus has been forced by the US-FTC to provide new firmware after a few high-profile failures. I think they are under a 20 yr mandate using best security practice techniques - but they charge $250+ for their equipment. The others are around $75 for good enough routers. For about $120, you can get a purpose built, PCEngines device and load any BSD or Linux routing distro you want.

Is ipcop distro maintained? There was a time when they didn't have any updates for over 2 yrs I just read.

The latest stable IPCop version is 2.1.9, released on 2019-02-23.

I wouldn't touch that if you paid me. There have been a number of remote exploits to the kernel since that time.

[linuxyogi]

YES!
Most people don't secure their desktops anywhere near enough to place them on the unfiltered internet.

So you are saying that even Ubuntu with ufw enabled is still vulnerable ?

I am facing a slightly different problem. Two big ISPs in my country have started to introduce their high speed fiber connections at a reasonable price but there is one big problem. None of them allow customers to use their own router. Suppose I use the ISP provided router as the perimeter firewall & connect a Smoothwall box to one of the LAN port of my ISPs router will that make my network secure enough ?

[CelticWarrior]

None of them allow customers to use their own router.

Are they using CG-NAT and/or provide landline phone service over the fiber?

[linuxyogi]

Are they using CG-NAT and/or provide landline phone service over the fiber?

I am going to try my best to explain.

Standard procedure

The fiber optic cable comes into the customer's home. Its then connected to the fiber port of a gpon modem which converts the signal & outputs it via a RJ45 port which then gets connected to a WiFi router. So in total 2 devices are involved the modem & the router.

Jio Fiber/Airtel Fiber

These 2 ISPs dont use a separate modem. Instead they use a "hybrid" device which works as both modem & router. I contacted both & they told me I have no other choice but to use their modem/router hybrid device.

[SeijiSensei]

Yes, if you connect a computer to the modem's Ethernet jack, you will be directly on the public Internet. I prefer to have a router between the Internet and my internal network, but it is possible to add a few iptables rules to a computer running Linux and turn it into a masquerading router. I've done it myself in the past, but nowadays I'd just buy a decent router like https://www.newegg.com/tp-link-arche...0E6-002W-006B7.

I bought my own modem, too. I'm done paying monthly rental fees for hardware from providers. I also have YouTubeTV, which eliminates a DVR by recording shows in the cloud.

[DuckHook]

I contacted both & they told me I have no other choice but to use their modem/router hybrid device.

This is true of many ISPs. It's understandable because they don't want a dog's breakfast of different devices impacting their network. Some users know just enough to be dangerous. Others are simply up to no good. So they exert at least some measure of control over their least secure attack surface by policing the consumer endpoint.

What they may not have told you—perhaps because they were confused by the way you phrased your question—is that almost all ISP routers are capable of being set up as simple bridges so that they act in effect as modems. Most ISPs are aware that knowledgeable users for many good reasons want to use their own routers. Their business customers would absolutely not put up with being forced to use the ISP's routers, so they clearly must have the capability to set those routers into bridge mode. Your misunderstanding may have been caused by requesting to use your own "device", which would not be allowed (for good reasons).

You don't need your own "device". You only need them to set their device as a simple bridge.

Re: connecting straight to your computer—as TheFu has exclaimed, this is highly unwise unless you know exactly what you are doing and are already most of the way to being a security guru. I consider myself something of a security‑savvy power-user and I would never risk it. As much as we sometimes dump on router OEMs, the fact remains that they are in business to build proper firewalls. They can (and should) be raked over the coals for orphaning their equipment, but they are still more knowledgeable on the initial get-go than the vast majority of general users.

[linuxyogi]

This is true of many ISPs. It's understandable because they don't want a dog's breakfast of different devices impacting their network. Some users know just enough to be dangerous. Others are simply up to no good. So they exert at least some measure of control over their least secure attack surface by policing the consumer endpoint.

Does your ISP do the same ? I mean force you to use their own router/firewall ? What have you done ? Are you using your ISP's router coz you have no choice ?

I am asking this question to all my friends who replied to this thread. Please reply. I am feeling trapped. I need a way out.

[DuckHook]

I've already told you what I've done. Please carefully read my previous reply again.

Though I must use my ISP's "device", they are happy to put it into bridge mode for me, which effectively turns it into a plain modem. If yours will do the same, then no trap exists and no point in feeling that way.

I don't know how ISPs behave in your country, but I would be very surprised if they refused to bridge it for you. As I've already written, no business would stand for an ISP that dictated the use of their router. It's a fundamental security/operational requirement and it's non-negotiable.

Instead of anticipating issues, simply ask your ISP to set their device as a bridge. Then it's a nonissue.

[linuxyogi]

@DuckHook
I found a Facebook group which is created for Reiance Jio Fiber users. I asked them if I can use my own router. They told me its not possible for 2 reasons. The first reason is that they use a hybrid device which does 2 tasks. It converts the fiber to ethernet & do routing & wifi. The second reason is Reliance Jio fiber doesn't allow their router to use bridge mode.

Please watch this video & you will get an overall idea how things are done in my country. Just 10 mins >>>>https://www.youtube.com/watch?v=1xnLxbhgkiI