1 |
Hi Neil, |
2 |
on Tue, Sep 16, 2008 at 04:59:39PM +0100, you wrote: |
3 |
> > Except that this is not completely true: See some of the many articles |
4 |
> > in the net which explain why NAT is not a security feature. A quick |
5 |
> > google search gave e.g. |
6 |
> > http://www.nexusuk.org/articles/2005/03/12/nat_security/ |
7 |
> |
8 |
> "So the router maintains a database of current connections so that traffic |
9 |
> is always allowed through for them, and you can tell it to filter all new |
10 |
> connections made from the internet whilest allowing all new connections |
11 |
> made from inside the local network. This means that noone can make a |
12 |
> connection from the internet to one of your workstations, even though |
13 |
> they can route to its address." |
14 |
> |
15 |
> If the relevant ports are not forwarded in the router, this applies and |
16 |
> no one can make a new connection to your rsync server. |
17 |
|
18 |
I don't even see why you'd strictly need connection tracking to avoid |
19 |
attacks made possible by grossly misconfigured ISP routers. Your router |
20 |
knows that packets with a destination address of 10/8, 192.168/16 and |
21 |
the like have absolutely no business on the public internet so the only |
22 |
sensible behavior would be to just drop them. |
23 |
|
24 |
cheers, |
25 |
Matthias |
26 |
-- |
27 |
I prefer encrypted and signed messages. KeyID: FAC37665 |
28 |
Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 |