Consumer Grade - IPV6 Enabled Router Firewalls.
Simon Perreault
simon.perreault at viagenie.ca
Fri Dec 11 13:26:57 UTC 2009
Valdis.Kletnieks at vt.edu wrote, on 2009-12-11 08:06:
> On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said:
>> Mark Newton wrote, on 2009-12-11 03:09:
>>> You kinda do if you're using a stateful firewall with a "deny
>>> everything that shouldn't be accepted" policy. UPnP (or something
>>> like it) would have to tell the firewall what should be accepted.
>>
>> That's putting the firewall at the mercy of viruses, worms, etc. The firewall
>> shouldn't trust anything else to tell it what is good and bad traffic.
>
> What you suggest?
That depends on the circumstances. UPnP is fine in some circumstances and wrong
in others.
> We *know* that if a worm puts up
> a popup that says "Enable port 33493 on your firewall for naked pics of.."
> that port 33493 will get opened anyhow, so we may as well automate the
> process and save everybody the effort.
Not if the victim doesn't have rights on the firewall (e.g. enterprise).
Simon
--
DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
vCard 4.0 --> http://www.vcarddav.org
More information about the NANOG
mailing list