1 |
On Tue, 16 Sep 2008 17:29:16 +0200 (CEST), Vaeth wrote: |
2 |
|
3 |
> > If you are using NAT on the router, you have to explicitly forward |
4 |
> > that port somewhere for it to work. [...] |
5 |
> |
6 |
> Except that this is not completely true: See some of the many articles |
7 |
> in the net which explain why NAT is not a security feature. A quick |
8 |
> google search gave e.g. |
9 |
> http://www.nexusuk.org/articles/2005/03/12/nat_security/ |
10 |
> |
11 |
|
12 |
"So the router maintains a database of current connections so that traffic |
13 |
is always allowed through for them, and you can tell it to filter all new |
14 |
connections made from the internet whilest allowing all new connections |
15 |
made from inside the local network. This means that noone can make a |
16 |
connection from the internet to one of your workstations, even though |
17 |
they can route to its address." |
18 |
|
19 |
If the relevant ports are not forwarded in the router, this applies and |
20 |
no one can make a new connection to your rsync server. |
21 |
|
22 |
In addition, the default rsyncd configuration with Gentoo uses a chroot |
23 |
jail. So even if you do allow connections to your portage tree, they |
24 |
won't be able to access anything else. After all, isn't that exactly how |
25 |
Gentoo mirrors work? |
26 |
|
27 |
|
28 |
-- |
29 |
Neil Bothwick |
30 |
|
31 |
There is absolutely no substitute for a genuine lack of preparation. |