quietly....

Nicholas Suan nsuan at nonexiste.net
Thu Feb 3 00:24:47 CST 2011


On Thu, Feb 3, 2011 at 12:18 AM, Jay Ashworth <jra at baylink.com> wrote:

> Complexity of the configuration vastly increases the size of the
> attack surface: in a NATted edge network, *no packets can come in
> unless I explicitly configure for them*; there are any number of
> reasons why an equivalently simply assertion cannot be made concerning
> the configuration of firewalls, of whatever type or construction.
>

I've always wondered how many consumer-grade routers aren't actually
doing this, and the fact that they don't do this is masked by the use
of RFC1918 addresses on the internal side of the router. (Linux with
netfilter won't, by default, unless you change the default ACCEPT
policy, or add a specific rule to block incoming packets.)




More information about the NANOG mailing list