Consumer Grade - IPV6 Enabled Router Firewalls.

Simon Perreault simon.perreault at viagenie.ca
Fri Dec 11 07:26:57 CST 2009


Valdis.Kletnieks at vt.edu wrote, on 2009-12-11 08:06:
> On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said:
>> Mark Newton wrote, on 2009-12-11 03:09:
>>> You kinda do if you're using a stateful firewall with a "deny
>>> everything that shouldn't be accepted" policy.  UPnP (or something
>>> like it) would have to tell the firewall what should be accepted.
>>
>> That's putting the firewall at the mercy of viruses, worms, etc. The firewall
>> shouldn't trust anything else to tell it what is good and bad traffic.
> 
> What you suggest?

That depends on the circumstances. UPnP is fine in some circumstances and wrong
in others.

> We *know* that if a worm puts up
> a popup that says "Enable port 33493 on your firewall for naked pics of.."
> that port 33493 will get opened anyhow, so we may as well automate the
> process and save everybody the effort.

Not if the victim doesn't have rights on the firewall (e.g. enterprise).

Simon
-- 
DNS64 open-source   --> http://ecdysis.viagenie.ca
STUN/TURN server    --> http://numb.viagenie.ca
vCard 4.0           --> http://www.vcarddav.org




More information about the NANOG mailing list