updating iptables/ipset to current versions

[vtol]

Since Android was mentioned it requires the wireless chipset manufacturers to develop the drivers anyway for new kernel versions since they cannot (or dare to) tell the phone manufacturers to stick to old kernels, else nobody would be buying their products in the first place.

Whilst Linux desktop/tablet is a rather small spread in comparison it still requires drivers for the various chipsets working in the machines. And those desktop/tablet distros are rather sharp on deploying the most recent kernels and get chipset drivers.

Perhaps the router chipset landscape is somewhat different, maybe the commercial margins are just not worth the effort.

 

[RMerlin]

Sure, that is the development (time/cost) involved, which they seems to be happy to spend (on updates) when it is Windows though. MS is changing lot of things bi-annular since the inception of W10.

MS is spending a lot of effort toward ensuring they don't break existing applications and drivers. That's why we have this bloatted OS today, and they are trying to move people off win32 and onto UWP. And when they do make critical API changes, it creates havok. Remember Vista? It involved a lot of API changes. Same with Windows XP, which was a PITA for many months after launch Meanwhile, Windows 10 1803 is still compatible with printer drivers (and many other drivers) released for Windows 7. Plus, Windows development cycle amounts in years, not weeks.

am glad that my Android 8 is at least at 4.4.78-perf+ kernel, now that you mentioned it

Your device perhaps. As pointed out. my older device is still on 3.1. Same thing as with routers - kernels never get updated.

 

[RMerlin]

Since Android was mentioned it requires the wireless chipset manufacturers to develop the drivers anyway for new kernel versions since they cannot (or dare to) tell the phone manufacturers to stick to old kernels, else nobody would be buying their products in the first place.

Except that's what is happening: after a device is launched, it stays on the same kernel for its lifetime. And even despite that, smartphones rarely get more than one Android update (unless you have a Nexus device), and quite often it's 3-6 months after that Android release was launched.

The only time a new kernel is used is when a new device is developed.

 

[vtol]

https://www.routersecurity.org/consumerrouters.php

Whilst not being an universal truth it appears to be a seemingly educated opinion/insight

"When you buy a consumer router you are buying the hardware. The software is provided as cheaply as possible. When you buy a business class router you are buying the software.

Consumer router vendors do as little firmware maintenance as possible

Old software, with know flaws, is the rule rather than the exception with consumer routers. Even the latest firmware often contains disgracefully old versions of software.

In December 2017, Insignary scanned the firmware of 32 Wi-Fi routers from ASUS, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link. Every router had a known security vulnerability. No zero days needed. A majority of the examined firmware contained components with more than 10 "Severity High" vulnerabilities. Half of the firmware had "Severity Critical" vulnerabilities"

 

[RMerlin]

Whilst not being an universal truth it appears to be a seemingly educated opinion/insight

That site generally has very valid points indeed.

Personally, I think it goes down to exposure surface. I avoid fancy features such as cloud sharing, remote web management or IFTTT. Any remote access to my router has to go through OpenVPN. With my setup, I feel confident enough in trusting my Asus router. I also see Asus being very active in fixing reported issues these days, in addition to those I can fix myself. Can't say I'd feel the same level of confidence with D-Link, for example...

It's a matter of balance really. If I needed stronger security, I'd go with a self-built system instead. For years I used a Linux box running CentOS + Shorewall at my office, for instance.

 

[vtol]

It's a matter of balance really. If I needed stronger security, I'd go with a self-built system instead. For years I used a Linux box running CentOS + Shorewall at my office, for instance.

This has been a bit sobering. Decided to split network security from (w)lan routing and procuring now this open source microFirewall appliance https://www.netgate.com/solutions/pfsense/sg-1000.html. Downside is another power cable/socket/consumer