[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Thu, Feb 3, 2011 at 12:18 AM, Jay Ashworth <jra at baylink.com> wrote:

> Complexity of the configuration vastly increases the size of the
> attack surface: in a NATted edge network, *no packets can come in
> unless I explicitly configure for them*; there are any number of
> reasons why an equivalently simply assertion cannot be made concerning
> the configuration of firewalls, of whatever type or construction.

I've always wondered how many consumer-grade routers aren't actually
doing this, and the fact that they don't do this is masked by the use
of RFC1918 addresses on the internal side of the router. (Linux with
netfilter won't, by default, unless you change the default ACCEPT
policy, or add a specific rule to block incoming packets.)