| 1 |
Hi Neil, |
| 2 |
on Tue, Sep 16, 2008 at 04:59:39PM +0100, you wrote: |
| 3 |
> > Except that this is not completely true: See some of the many articles |
| 4 |
> > in the net which explain why NAT is not a security feature. A quick |
| 5 |
> > google search gave e.g. |
| 6 |
> > http://www.nexusuk.org/articles/2005/03/12/nat_security/ |
| 7 |
> |
| 8 |
> "So the router maintains a database of current connections so that traffic |
| 9 |
> is always allowed through for them, and you can tell it to filter all new |
| 10 |
> connections made from the internet whilest allowing all new connections |
| 11 |
> made from inside the local network. This means that noone can make a |
| 12 |
> connection from the internet to one of your workstations, even though |
| 13 |
> they can route to its address." |
| 14 |
> |
| 15 |
> If the relevant ports are not forwarded in the router, this applies and |
| 16 |
> no one can make a new connection to your rsync server. |
| 17 |
|
| 18 |
I don't even see why you'd strictly need connection tracking to avoid |
| 19 |
attacks made possible by grossly misconfigured ISP routers. Your router |
| 20 |
knows that packets with a destination address of 10/8, 192.168/16 and |
| 21 |
the like have absolutely no business on the public internet so the only |
| 22 |
sensible behavior would be to just drop them. |
| 23 |
|
| 24 |
cheers, |
| 25 |
Matthias |
| 26 |
-- |
| 27 |
I prefer encrypted and signed messages. KeyID: FAC37665 |
| 28 |
Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 |
Archives