Hacker's ramblings

The short version is: Fucking idiots!

Long version:
Google Mail introduced a new policy somewhere in August 2013 for receiving e-mail via IPv6. Earlier the policy was same for IPv4 and IPv6, but they decided to make Internet a better place by employing a much tighter policy for e-mail senders. Details can be found from their support pages.

For e-mail Authentication & Identification they state:

• Use a consistent IP address to send bulk mail.
• Keep valid reverse DNS records for the IP address(es) from which you send mail, pointing to your domain.
• Use the same address in the 'From:' header on every bulk mail you send.
• We also recommend publishing an SPF record
• We also recommend signing with DKIM. We do not authenticate DKIM using less than a 1024-bit key.
• The sending IP must have a PTR record (i.e., a reverse DNS of the sending IP) and it should match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. Otherwise, mail will be marked as spam or possibly rejected.
• The sending domain should pass either SPF check or DKIM check. Otherwise, mail might be marked as spam.

First: My server does not send bulk mail. It sends mail now an then. If the idiots label my box as a "bulk sender" (whatever that means), there is nothing I can do to help it.

Second: I already have done all of the above. I even checked my PTR-record twice. Yes, it is in the above list two times using different words.

Still, after jumping all the hoops, crossing all the Ts and dotting all the Is: they don't accept email from my box anymore. They dominate the universe, they set new policies, start to enforce them without notice and fail to provide any kind of support. At minimum a web page to fill in couple of fields to a form to test how they perceive your server and give a result what to fix. But no. They don't do that, they just stop to accept any email.

To provide matching words for their search engine, I post a log entry (wrapped to multiple lines) from my Postfix:

postfix/smtp[6803]: A82C94E6CE:
to=<my@sending.address.fi>,
orig_to=<the@recipient's.address.net>,
relay=aspmx.l.google.com[2a00:1450:4008:c01::1b]:25,
delay=0.76,
delays=0.04/0/0.35/0.37,
dsn=5.7.1,
status=bounced (host aspmx.l.google.com[2a00:1450:4008:c01::1b] said:
550-5.7.1 [2001:-my-IPv6-address-      16]
Our system has detected 550-5.7.1 that this message does not meet IPv6 sending guidelines regarding
PTR 550-5.7.1 records and authentication.
Please review 550-5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for more 550 5.7.1 information.
qc2si10501687bkb.307 - gsmtp (in reply to end of DATA command))

I'm not alone with my problem. Easily a number of people complaining about the same issue can be found: Gmail, why are you doing this to me? and Google, your IPv6-related email restrictions suck. Most people simply stop using IPv6 to deliver mail to Google. My choice is to fight to the bitter end.

While complaining the un-justified attitude I get from Google, I got a piece of advice: "Why don't you check what Google's DNS thinks of your setup?". I was like "WHAAT? What Google DNS?"

In fact there is a public DNS offered by Google. It is described in article Using Google Public DNS. I did use that to confirm that my DNS and reverse-DNS were set up correctly. I typed this into a BASH-shell:

# dig -x 2001:-my-IPv6-address- @2001:4860:4860::8888

It yielded correct results. There was nothing I could do to fix this issue more. As it turned out, I did not change anything but after a couple of days, they just seemed to like my DNS more and allowed my email to pass. Perhaps one of these days I'll write something similar to my open recursive DNS tester.

Idiots!

This is something I've been trying to crack ever since I installed Fedora 19 alpha into my router. My HTTP-streams do not work. At all. Depending on the application and its retry-policy implementation some things would work, some won't. Examples:

• Playstation 3 updates: Updates load up to 30% and then nothing, this one I mistakenly thought was due to PS3 firmware update
  
• YLE Areena: No functionality after first 10-40 seconds
  
• Netflix: Poor picture quality, HD pretty much never kicks in, super-HD... dream on.
  
• Spotify: Works ok
• Ruutu.fi: Endless loop of commercials, the real program never starts
• Regular FTP-stream: Hang after first bytes
  

My Fedora 19 Linux is a router connecting to Internet and distributing the connection to my home LAN via NAT. The IPtables rule is:

iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE

I found an article with title IPTables: DNAT, SNAT and Masquerading from LinuxQuestions.org. It says:

"SNAT would be better for you than MASQUERADE, but they both work on outbound (leaving the server) packets. They replace the source IP address in the packets for their own external network device, when the packet returns, the NAT function knows who sent the packet and forwards it back to the originating workstation inside the network."

So, I had to try that. I changed my NAT-rule to:

iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o em1 -j SNAT --to-source 80.my.source.IP

... and everything starts to work ok! I've been using the same masquerade-rule for at least 10 years without problems. Something must have changed in Linux-kernel.

I did further studies with this problem. On a remote server I did following on a publicly accessible directory:

# dd if=/dev/urandom of=random.bin bs=1024 count=10240
10240+0 records in
10240+0 records out
10485760 bytes (10 MB) copied, 1.76654 s, 5.9 MB/s

It creates a random file of 10 MiB. For testing purposes, I can load the file with wget-utility:

# wget http://81.the.other.IP/random.bin
Connecting to 81.the.other.IP:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10485760 (10M) [application/octet-stream]
Saving to: `random.bin'

100%[=================>] 10,485,760  7.84M/s   in 1.3s

2013-10-08 17:06:02 (7.84 MB/s) - `random.bin' saved [10485760/10485760]

No problems. The file loads ok. The speed is good, nothing fancy there. I change the rule back to MASQUERADE and do the same thing again:

# wget http://81.the.other.IP/random.bin
Connecting to 81.the.other.IP:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10485760 (10M) [application/octet-stream]
Saving to: `random.bin'

10% [=======>          ] 1,090,200   --.-K/s  eta 85m 59s

After waiting for 10 minutes, there was no change in the download. wget simply hung there and would not process without manual intervention. Its official: masquerade is busted.

Me finding a bug in Linux kernel is almost impossible. I'm not a kernel developer, or anything, but anything I try finds nothing from the net. So I had to double check to rule out following:

• Hardware:
• Transferring similar file from router-box to client works fully. I tested a 100 MiB file. No issues with my LAN or the client computer.
• Transferring similar file from outside-server to router-box works fully. I tested a 100 MiB file. No issues with my Internet connection.
  
• When not NATing, everything works ok. Based on this I don't suspect any hardware issues.
• There is no difference in my home if using WLAN or Ethernet. The problem is related to my POSTROUTING-setting.
  
• IPv4:
• I have a SixXS IPv6-tunnel at my disposal. Transferring a 100 MiB file from outside-server via IPv6 to the same a IPv4 NATed client works fully. No issues.
• My original claim is that MASQUERADE is broken, SNAT works. Functioning IPv6 connection supports that claim.

To further see if it would be a Fedora-thing, or affecting entire Linux, I took official Linux 3.11.4 source code and Fedora kernel-3.11.3-201.fc19.src.rpm and ran a diff:

# diff -aur /tmp/linux.orig/linux-3.11.4/net/ipv4/netfilter \
/tmp/linux.fc19/linux-3.11/net/ipv4/netfilter

Nothing. No differences encountered. Looks like I have to file a bug report to Fedora and possibly Netfilter-project. Looking at the change log of /net/ipv4/netfilter/ipt_MASQUERADE.c reveals absolutely nothing, the change must be somewhere else.

I got permission to publish a grayed out version of a project I was contracted to do this summer. Since the customer paid big bucks for it, you're not going to see all the details. I'm sorry to act as a greedy idiot, but you have to hire me to do something similar to see your results.

The subject of my project is something that personally is intriguing to me: how much better does a cloud-native application perform when compared to a traditional LAMP-setup. I chose the cloud platform to be Windows Azure, since I know that one best.

The Setup

There was a pretty regular web-application for performing couple of specific tasks. Exactly the same sample data was populated to Azure SQL for IaaS-test and Azure Table Storage for PaaS -test. People who complain about using Azure SQL can imagine a faster setup being used on a virtual machine and expect the thing to perform faster.

To simulate a real web application, memory cache was used. Memcache for IaaS and Azure Cache for PaaS. On both occasions using memory cache pushes the performance of the application further as there is no need to do so much expensive I/O.

Results

In the Excel-charts there are number of simulated users at the horizontal axis. There are two vertical axis used for different items.

Following items can be read from the Excel-charts:

• Absolute number of pages served for giving measurement point (right axis)
  
• Absolute number of pages returned, which returned erroneous output (right axis)
• Percentage of HTTP-errors: a status code which we interpret as an error was returned (left axis)
  
• Percentage of total errors: HTTP errors + requests which did not return a status code (left axis)
• Number successful pages returned per second (left axis)

Results: IaaS

I took a ready-made CentOS Linux-image bundled with Nginx/PHP-FPM -pair and lured it to work under Azure and connect to ready populated data from Azure SQL. Here are the test runs from two and three medium instances.

Adding a machine to the service absolutely helps. With two instances, the application chokes completely at the end of test load. Added machine also makes the application perform much faster, there is a clear improvement on page load speed.

Results: PaaS

Exactly the same functionality was implemented with .Net / C#.

Here are the results:

Astonishing! Page load speed is so much higher on similar user loads, also no errors can be produced. I pushed the envelope with 40 times the users, but couldn't be sure if it was about test setup (which I definitely saturated) or Azure's capacity fluctuating under heavy load. The test with small role was also very satisfactory, it beats the crap out of running two medium instances on IaaS!

Conclusion

I have to state the obvious: PaaS-application performs much better. I just couldn't belive that it was impossible to get exact measurement from the point where the application chokes on PaaS.

In my earlier entry about Azure PaaS billing, I was complaining about how to stop the billing.

This time I managed to do it. The solution was simple: delete the deployments, but leave the cloud service intact. Then Azure stops reserving any (stopped) compute units for the cloud service. Like this:

Here is the proof:

Zero billing. Nice!

My Acronis TI installation fucked up my laptop. Again. I was on customer's office with my laptop at the time a backup was scheduled to run. That should be no biggie, right?

Wrong.

2013 did that, I wrote about that earlier. Some update for 2013 fixed that. I stopped suffering about the issue at some point. When it did happen I mis-identified the problem about being related to windows update, later I found out that it was because of a stuck Acrnois backup job.

That shouldn't be too difficult to fix? Acronis? Anyone?

In Windows Azure stopping an IaaS virtual machine stops the billing, there is no need to delete the stopped instance. When you stop a PaaS cloud service, following happens:

Based on billing:

This is really true. On 26th and 27th I had a cloud service running on Azure, but I stopped it. On 28th and 29th there is billing for a service that has been stopped, and for which I got the warning about. I don't know why on 30th there is one core missing from the billing. Discount, perhaps?

My bottom line is:
Why? What possible idea could be, that your PaaS cloud service needs to be deleted in order to stop billing? Come on Microsoft! Equal rules for both cloud services!

Is it just me, or is Apple's new iOS 7 just bunch of hot air?

I got the released version immediately to my iPhone and iPad. My initial reaction: the new colors are disgusting. Perhaps person using the new user interface needs to be drunk or on drugs to like them.

After half an hour of browsing archived 1995 black and white webpages, I was able to start using the painter's color sheet ... erhm... iOS 7. There was nothing improved there. Calendar had been made worse, month view didn't display entries anymore. The top left "bar" indicator had been turned into weird dots. Now it's not possible to ask "how many bars do you have?".

In the spirit of trying to be positive I found a single thing I liked. iCloud supports notes now. That I've been really waiting for. Hopefully they finally fixed the iPad's losing APN-settings bug. I have to admit, that the new swipe-screen looks good, much better than the classic old one. But something funny happens when you swipe, too many colors burn trough my eyes.

The official list of new features is here, but I still cannot find anything with a "wow"-factor in it.

The error messages when Azure Table Storage data insert fails are far from being descriptive.

This is the complete list of supported datatypes (or Property Types as they call them):

• Binary: An array of bytes up to 64 KB in size.
• Bool: A Boolean value.
• DateTime: A 64-bit value expressed as UTC time. The supported range of values is 1/1/1601 to 12/31/9999.
• Double: A 64-bit floating point value.
• GUID: A 128-bit globally unique identifier.
• Int: A 32-bit integer.
• Int64: A 64-bit integer.
• String: A UTF-16-encoded value. String values can be up to 64 KB in size.

Really. Nothing more. You just have to get along with that one!
The list is taken from Windows Azure Table Storage and Windows Azure SQL Database - Compared and Contrasted.

Things you fail to notice:

• .Net DateTime Structure as range of 00:00:00 (midnight), January 1, 0001 Anno Domini (Common Era) through 11:59:59 P.M., December 31, 9999 A.D. (C.E.) in the Gregorian calendar. Not from January 1, 1601 AD.
• That shouldn't be an issue. My app had problems and it had recorded dates into year 201. This was a really nice way of finding that out.
  
• In intergers, there are no unsigned versions.
• In decimal numbers, there is no decimal, a 128-bit floating point number. You have to settle with Double, a IEC 60559:1989 (IEEE 754) compliant version.
• There is no reasonable way of storing money-type data which needs an exact number, no floating point conversions.
• The string really is UTF-16, a two byte -version. It stores up to 32768 characters.
• Which is Not much when compared to TEXT or varchar(max) which range from 2 GiB to anything you have
  

Hopefully this list helps somebody. I spent a nice while finding all these out.

Sorin was kind enough to comment my article about Telia's firmware. He found a firmware from 3 Denmark for B593. Naturally I had to try that as soon as I could.

My previous articles about B593 are:

• Telia firmware not having SMS-functionality in it, Saunalahti firmware link
  
• DMZ-setting
• Dropping to 2G EDGE occasionally
  

The download link for 3's firmware is: http://www.3.dk/Privat/Kundeservice/Hjaelp-til-mobilt-bredbaand/Routere/Huawei-B593/#Firmware_opgradering

You will find a .zip-file, which will contain the firmware file with name hi3g_r+m+h+s.tar.bz2 in it. The file is dated 20th Nov 2012. After the firmware upgrade, a software version of V100R001C26SP054 will be installed:

The previously used Saunalahti firmware has software version of V100R001C260SP055, so the difference is C26 SP054 vs. C260 SP055. It is a known fact that telcos get a firmware modification kit from Huawei and can enable/disable features and add their own skins (see previous posts).

For all of us not fluent in Danish, there is a language selection in the login-screen. Beware: after the upgrade was done, I didn't have any connectivity. See:

The lack of connectivity was for the reason, that during update the APN-settings were set for 3 Denmark. Naturally they didn't work for me. This firmware has the VoIP-functionality enabled, thus, there is need for 2 separate APNs. Finnish telco's don't have the VoIP, so I cannot test that. But that does make the APN-setting -screen quirky. You cannot edit/delete an APN which is in use, either as data connection or VoIP-connection. There is no visual feedback about that, so I had to investigate the setting screen -logic for a while.

I did confirm that SMS-send/receive functionality is there and works. No issues on my tests. Also I confirmed my DMZ-forwarding, it still works as expected.

One fact that Sorin mentioned in his comment was, that he experienced lot of dropped connections with Saunalahti-firmware. His experience is that this firmware is more robust.

I'll update here if something surprising appears.

Earlier I wrote about IPv6-connectivity with MS SQL server into Linux / PHP with FreeTDS.

This time my quest with FreeTDS continued, I put together the minimal possible CentOS 6.4 Linux with enough parts to produce a Nginx / PHP-FPM / Windows Azure SQL Database -based web application. The acronym could be not LAMP, but NPFWASD. No idea how to pronounce "npf-wasd", though.

I packaged a Hyper-V -based Linux .vhd into Azure virtual machine IaaS-image and created couple of load-balanced HTTP-ports into it. The problem was to lure PHP's PDO to connect into Azure SQL via FreeTDS dblib. I spent a good while banging my head and kicking it, before it stopped resisting and started to obey my commands.

Everything would have gone much better, if only I had the proper version of FreeTDS installed into the Linux. When I realized that the TDS-protocol version is hyper-important in Azure SQL, I realised that my FreeTDS-version was not the one it was supposed to be. My own-package would have been the correct one (see the earlier post). My tsql -C says:

Compile-time settings (established with the "configure" script)
                            Version: freetds v0.92.dev.20130721
             freetds.conf directory: /etc
     MS db-lib source compatibility: yes
        Sybase binary compatibility: yes
                      Thread safety: yes
                      iconv library: yes
                        TDS version: 7.1
                              iODBC: no
                           unixodbc: yes
              SSPI "trusted" logins: no
                           Kerberos: yes

The default TDS version of 7.1 is really, really important there. With that I can do:

tsql -H -my-designated-instance-in-Azure-.database.windows.net \
 -p 1433 \
 -U -the-application-SQL-user-without-admin-rights- \
 -D -my-own-database-in-the-SQL-box-

It simply works, displays the prompt and everything works as it should be. In my Zend Framework application configuration I say:

resources.db.adapter = "Pdo_Mssql"
resources.db.params.host = "-my-designated-instance-in-Azure-.database.windows.net"
resources.db.params.dbname = "-my-own-database-in-the-SQL-box-"
resources.db.params.username = "-the-application-SQL-user-without-admin-rights-"
resources.db.params.password = "-oh-the-top-secret-passwrod-"
resources.db.params.version = "7.1"
resources.db.params.charset = "utf8"
resources.db.params.pdoType = "dblib"

No issues there. Everything works.

I received couple of comments from other people when I announced that I would try such a feat. It appeared that most people are running their own SQL-instances of various kinds because of performance reasons. The Azure SQL -service is definitely not the fastest there is. But what if you're not in a hurry. The service is there, easily available, cheap and functional, even from Linux/PHP.

This has been in the rumors for a long time. The Finnish pride Nokia chose to exit their Devices & Services branch now that Lumia phones are finally getting popularity. It is kind of a sad day for Finnish ICT-industry as the biggest company divests roughly half of itself with a very cheap price. Lot of people, including me, were waiting for Microsoft to buy out entire corporation. Any business transactions of this size take months to prepare, if not years. So, most of the rumors from early 2013 appeared to be true. Our beloved (NOT!) "mole-man" or "Microsoft agent" Mr. E-flop managed to push the corporation's value down so that his seat for CEO of Microsoft could be granted with this move.

This is also a good day for Finnish ICT-industry, as lot of what-iffing can stop, and people can concentrate doing actually good things.

Bullshit floating around:

• Part of Finnish national identity was lost: Sure thing, Nokia was our own pride and joy, but things keep changing get used to it! After all Nokia did fuck up their own business with having too much pride for not to see what others were doing. Not to mention their horrible reorganizations that managed to completely kill their ability to innovate. I was proud what they did in the 90s and how they ruled the mobile world then, but not how they managed to get too cocky in the 00s.
  
• Nokia was about to go bankrupt: No, according to their Q2 2013 interim report, they had assets for 4,4 billion €, does not sound like bankrupcy to me
  
• Nokia was about to abandon Windows Phone and go to Android: I don't think so, Lumia was starting to sell like hotcakes
• Press is stating that "Microsoft bought Nokia": Idiots! No they did not! They purchased Devices & Services division. Lot of Nokia is still left. Neither did Google acquire Motorola, they just got Motorola Mobility division. There is a difference there.
  
• Nokia should have chosen platform X instead of Windows Phone:
• Apple iOS: really not available
• Blackberry: perhaps, ready platform, low on features, but Nokia guys could have done something with it, not as ready-to-go as they'd hope
  
• Palm / webOS: naah, too old crap, HP was ready to eject it, though. Price would have been cheap, but same story as Blackberry.
  
• Nokia's own MeeGo: Technically superior to anything, the trouble was that they put a lot of money into it, and due to their own organization's mis-management they could not produce anything real in time and decided to sink it. New platform is lacking developer community, though. Ex-Nokia people bought it and formed a new company Jolla.
• Android: Buggy, insecure, totally dominated by Asian companies like Samsung, LG and HTC. Really difficult to create something innovative with cheaper price. Totally out of the question.
  
• Windows Phone: History has proven that Nokia really managed to get it working. Trouble is that Microsoft has very slow development cycle. They're not accustomed working in mobile field at all. Perhaps Microsoft will now detach Windows Phone from Windows completely and allow them to move rapidly.
• Microsoft made a mistake when they did the acquisition: I don't think so. Their PC-business is fading and they really want to expand. Mr. Ballmer has set the vision to be a devices & services business and that's what they bought.
• Finland will lose lot of ICT-jobs: Why would Microsoft move the mobile phone development to Redmond? They have a proven track record of that not working. Also what many people are afraid of, is Microsoft scaling down the mobile business. Why would they do that? They just spent 5,4 billion € for it, why would they kill it after that? So, I don't think this will have a major impact on ICT-workforce.
• Nokia will have a grim future: Well, no. They divested the division not doing any profits. They kept their patent portfolio which is generating 1 billion € revenue each year. They have plenty of money, probably they'll just purhcase Jolla and start doing nice mobile phones again.
  

My 4G-router drops to 2G EDGE after running couple of weeks. It's a really weird thing, since it does not do it always. Also the total on-line time is really weird. I hardly think that the on-line time can be 9 years or so.

I could not find any other remedy to fix this, but to reboot. After that it does a scan for connections and finds 4G/3G/2G and chooses the fastest one like it should do.

This is just a nuisance. I'd expect the box to be a little bit more robust.

The on-line time calculator -thing is a really weird one. It seems to jump 200 days during 8 hours when it feels like doing it. Apparently the entire calculator is busted.

Is it just me, or has somebody at Microsoft really dropped the ball on network location setting? When a Windows computer detects a new network, which it has not be attached into earlier, it pops you the question and asks about how to profile the security in that particular case. If everything goes ok, there is no need to change anything. However, when you install your computer, you don't get to answer that. Also, there is commonly known that people make mistakes. What if you simply fumbled the question and clicked wrong.

In Windows 7 the setting is simple:

You go there, click the value and select a better one. In Windows 8, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2 that is not the case. The setting cannot be changed. Period. Wtf?

There is a way to change the setting. I found this article with Google: How do I set my wireless network to be private instead of public? The "Easiest" and "Most direct" are crap, IMHO. The part with Local Security Policy seems to work:

That seems to be working from Windows 7 onwards. Whose bright idea it was to make the change that difficult?

I've had my issues with Acronis True Image. It fails running backup, restore or consolidate existing backups to reduce storage. See my earlier posts about that (1 and 2).

Then they send this automated e-mail about eligibility of an upgrade with reduced price. I need backup, that's given, but have been unable to find anything reasonable as replacement. After a short pros/cons-weighing type of thinking, I decided to go for the update and got an Acronis True Image 2014 Premium.

Pros:

• I know them and their product
• I'm "pot committed" to them already 
• When I know what not to do, I manage go produce restoreable backups
  

Cons:

• I know them and their product
• I'm "pot committed" to them already
• Consolidation does not work
• Stupid restore errors on raw disks
  

There were no real issues during the update. They still don't support HTTP-proxying and simply assume that everybody can connect to their servers anytime, all the time. I manage to get past that, increasing number of software vendors make that assumption. What about us who'd like to know what goes on in their networks. They completely forget us.

Anyway, my backups run fine after the upgrade. During my consolidation experiments I managed to delete some backup-files from my storage. Now TrueImage wants to see them. When I get rid of that problem, I should be running smoothly.

I'll report here if something nasty happens.

My previous post about my Huawei B593 4G-router has become quite popular, so I thought to tell more about my setup.

What I'd really need is a network bridge, so that my Linux-box would be the one getting a dynamically changing public IP via DHCP. Understandably it simply cannot be done with a mobile router. In UMTS-network, the mobile terminal will negotiate a data connection and get the IP-address associated with the connection. There literally is no chance for my router to do that via B593. Using an USB-based mobile terminal such a feat could be achieved, for example my Huawei E160 gets an IP-address directly to the Linux. No 4G LTE, though. So, I'll be sticking with my B593 for a while. See an example of a transfer speed measurement @ Ookla Speedtest.net. Not, bad huh?

I also did investigate if the box would be based on Linux. Huawei has some GPL-components in the firmware, but they don't release BusyBox nor Dropbear source. It is possible, that they are using something of their own make or simply don't have a prompt or are not using Linux at all. The reason I'd like to see them is that both BusyBox and Dropbear SSHd are very typically used in Linux-based hardware.

Doing a port-scan from LAN-side to B593 reveals, that it has something there:

Not shown: 995 closed ports
PORT    STATE    SERVICE
22/tcp  filtered ssh
23/tcp  filtered telnet
80/tcp  open     http
443/tcp open     https
631/tcp filtered ipp
MAC Address: F8:3D:FF:F8:3D:FF (Huawei Technologies Co.)

... but since all the nice stuff (SSH and telnet) are filtered, I don't know if there are actually any services listening to those ports.

To repeat: to my understanding, a bridging firmware cannot be done. However, something very similar can be achieved, it has a DMZ-setting. See:

It says "You can configure a computer as the DMZ host that is exposed to the Internet so that unlimited services and exchanges are provided between the host and Internet, for example, online games and meetings." in the page. That is pretty much same as bridge.

I had to test if it really would work. I took a hping-utility for crafting raw IP-packets and ran:

hping -c 1 -n <-da-IP-address-here> -e "AAAA" -0 --ipproto 41

That sent a single (-c 1) raw IP-packet (-0) and stamped the outgoing packet a IPv6-encapsulation protocol (--ipproto 41). If the Huawei would have a simple UDP & TDP forwarding, such a packet would never pass trough.

On my Linux it said:

16:15:50.115851 IP sending.host.com > receiving.host.net: [|ip6]
16:15:50.115920 IP receiving.host.net > sending.host.com: ICMP host receiving.host.net unreachable - admin prohibited, length 32

Goddamn! It works! The packet properly passes trough.

My conclusion is that the DMZ-function is actually usable. Apparently there is no need for SSH-prompt -based configuration tweaking. It would always be nice, though. All Linux-nerds like me simply love to go to the prompt and type cat /proc/version and cat /proc/cpuinfo and boast about their hacking abilities to anybody who cares (not) to listen.