1 |
On Tue, 16 Sep 2008, Matthias Bethke wrote: |
2 |
|
3 |
> I don't even see why you'd strictly need connection tracking to avoid |
4 |
> attacks made possible by grossly misconfigured ISP routers. Your router |
5 |
> knows that packets with a destination address of 10/8, 192.168/16 and |
6 |
> the like have absolutely no business on the public internet so the only |
7 |
> sensible behavior would be to just drop them. |
8 |
|
9 |
This also requires a special kind of router: Namely one which has a |
10 |
physical way of distinguishing between the "dangerous" connection to |
11 |
the net and your local network (if they are dynamic, this can also |
12 |
sometimes be tricked). Of course, combined router/modems have this |
13 |
separation practically "by definition". However, in any case it |
14 |
requires that the functionality you mention is implemented on the |
15 |
router and has no bugs and that the router cannot be compromised by |
16 |
other means. |