| 1 |
Hi Vaeth, |
| 2 |
on Tue, Sep 16, 2008 at 07:54:43PM +0200, you wrote: |
| 3 |
> > I don't even see why you'd strictly need connection tracking to avoid |
| 4 |
> > attacks made possible by grossly misconfigured ISP routers. Your router |
| 5 |
> > knows that packets with a destination address of 10/8, 192.168/16 and |
| 6 |
> > the like have absolutely no business on the public internet so the only |
| 7 |
> > sensible behavior would be to just drop them. |
| 8 |
> |
| 9 |
> This also requires a special kind of router: Namely one which has a |
| 10 |
> physical way of distinguishing between the "dangerous" connection to |
| 11 |
> the net and your local network (if they are dynamic, this can also |
| 12 |
> sometimes be tricked). Of course, combined router/modems have this |
| 13 |
> separation practically "by definition". |
| 14 |
|
| 15 |
I can only recall one router where this wasn't the case, my first weird |
| 16 |
and wonderful DSL line in the Philippines :D Normally, why bother |
| 17 |
routing if you can just physically connect the thwo networks and have |
| 18 |
their traffic intermix? |
| 19 |
|
| 20 |
> However, in any case it requires that the functionality you mention is |
| 21 |
> implemented on the router and has no bugs and that the router cannot |
| 22 |
> be compromised by other means. |
| 23 |
|
| 24 |
Sure, if your router is compromised you're fuxx0red anyway. I was just |
| 25 |
saying that in any halfway sane router these NAT problems are not an |
| 26 |
issue. And with many routers running Linux today so you can even get a |
| 27 |
shell and check iptables... :) |
| 28 |
|
| 29 |
cheers, |
| 30 |
Matthias |
| 31 |
-- |
| 32 |
I prefer encrypted and signed messages. KeyID: FAC37665 |
| 33 |
Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 |
Archives