1 |
Neil Bothwick wrote: |
2 |
|
3 |
> On Tue, 16 Sep 2008 17:29:16 +0200 (CEST), Vaeth wrote: |
4 |
> |
5 |
> > > If you are using NAT on the router, you have to explicitly forward |
6 |
> > > that port somewhere for it to work. [...] |
7 |
> > |
8 |
> > Except that this is not completely true [...] |
9 |
> |
10 |
> "So the router maintains a database of current connections |
11 |
|
12 |
This is not true for a standard NAT router. Only special routers with |
13 |
additional functionality can do this. Not to mention that occassionally |
14 |
also bugs in the implementations of such routers are found (e.g. using |
15 |
DOS to attempt a database overflow is an attack which comes to mind in |
16 |
the "generic" case). |
17 |
In any case, it depends on how much you can trust the router, while if |
18 |
the port is not open on your machine you do not have such a risk at |
19 |
all. So why take an unnecessary risk? |
20 |
|
21 |
> In addition, the default rsyncd configuration with Gentoo uses a chroot |
22 |
> jail. |
23 |
|
24 |
Also a chroot jail is not a security feature: There are several ways known |
25 |
how to break out. Well, if you use grsecurity (hardened-sources), at least |
26 |
the most gapping security holes are closed in this respect, but also this |
27 |
is no guarantee and can hinder you when you have other uses for chroot. |
28 |
Not to speak that rsyncd introduces additional code anyway, |
29 |
which might also be vulnerable in an unexpected manner (e.g. in connection |
30 |
with a kernel bug or who-knows-what). |
31 |
|
32 |
> After all, isn't that exactly how Gentoo mirrors work? |
33 |
|
34 |
If you offer something on the net you have certainly an increased |
35 |
risk that the corresponding machine is compromised - every mirror |
36 |
administrator is aware of this (or at least he should be so). But |
37 |
there is no reason to take any such sort of risk in a network which |
38 |
is not supposed to offer services to other people. |