1 |
Hi Vaeth, |
2 |
on Tue, Sep 16, 2008 at 07:54:43PM +0200, you wrote: |
3 |
> > I don't even see why you'd strictly need connection tracking to avoid |
4 |
> > attacks made possible by grossly misconfigured ISP routers. Your router |
5 |
> > knows that packets with a destination address of 10/8, 192.168/16 and |
6 |
> > the like have absolutely no business on the public internet so the only |
7 |
> > sensible behavior would be to just drop them. |
8 |
> |
9 |
> This also requires a special kind of router: Namely one which has a |
10 |
> physical way of distinguishing between the "dangerous" connection to |
11 |
> the net and your local network (if they are dynamic, this can also |
12 |
> sometimes be tricked). Of course, combined router/modems have this |
13 |
> separation practically "by definition". |
14 |
|
15 |
I can only recall one router where this wasn't the case, my first weird |
16 |
and wonderful DSL line in the Philippines :D Normally, why bother |
17 |
routing if you can just physically connect the thwo networks and have |
18 |
their traffic intermix? |
19 |
|
20 |
> However, in any case it requires that the functionality you mention is |
21 |
> implemented on the router and has no bugs and that the router cannot |
22 |
> be compromised by other means. |
23 |
|
24 |
Sure, if your router is compromised you're fuxx0red anyway. I was just |
25 |
saying that in any halfway sane router these NAT problems are not an |
26 |
issue. And with many routers running Linux today so you can even get a |
27 |
shell and check iptables... :) |
28 |
|
29 |
cheers, |
30 |
Matthias |
31 |
-- |
32 |
I prefer encrypted and signed messages. KeyID: FAC37665 |
33 |
Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 |