| 1 |
On Tue, 16 Sep 2008 17:29:16 +0200 (CEST), Vaeth wrote: |
| 2 |
|
| 3 |
> > If you are using NAT on the router, you have to explicitly forward |
| 4 |
> > that port somewhere for it to work. [...] |
| 5 |
> |
| 6 |
> Except that this is not completely true: See some of the many articles |
| 7 |
> in the net which explain why NAT is not a security feature. A quick |
| 8 |
> google search gave e.g. |
| 9 |
> http://www.nexusuk.org/articles/2005/03/12/nat_security/ |
| 10 |
> |
| 11 |
|
| 12 |
"So the router maintains a database of current connections so that traffic |
| 13 |
is always allowed through for them, and you can tell it to filter all new |
| 14 |
connections made from the internet whilest allowing all new connections |
| 15 |
made from inside the local network. This means that noone can make a |
| 16 |
connection from the internet to one of your workstations, even though |
| 17 |
they can route to its address." |
| 18 |
|
| 19 |
If the relevant ports are not forwarded in the router, this applies and |
| 20 |
no one can make a new connection to your rsync server. |
| 21 |
|
| 22 |
In addition, the default rsyncd configuration with Gentoo uses a chroot |
| 23 |
jail. So even if you do allow connections to your portage tree, they |
| 24 |
won't be able to access anything else. After all, isn't that exactly how |
| 25 |
Gentoo mirrors work? |
| 26 |
|
| 27 |
|
| 28 |
-- |
| 29 |
Neil Bothwick |
| 30 |
|
| 31 |
There is absolutely no substitute for a genuine lack of preparation. |
Archives