[120168] in North American Network Operators' Group
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
daemon@ATHENA.MIT.EDU (Simon Perreault)
Fri Dec 11 08:27:50 2009
Date: Fri, 11 Dec 2009 08:26:57 -0500
From: Simon Perreault <simon.perreault@viagenie.ca>
To: Valdis.Kletnieks@vt.edu
In-Reply-To: <5008.1260536813@localhost>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Valdis.Kletnieks@vt.edu wrote, on 2009-12-11 08:06:
> On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said:
>> Mark Newton wrote, on 2009-12-11 03:09:
>>> You kinda do if you're using a stateful firewall with a "deny
>>> everything that shouldn't be accepted" policy. UPnP (or something
>>> like it) would have to tell the firewall what should be accepted.
>>
>> That's putting the firewall at the mercy of viruses, worms, etc. The firewall
>> shouldn't trust anything else to tell it what is good and bad traffic.
>
> What you suggest?
That depends on the circumstances. UPnP is fine in some circumstances and wrong
in others.
> We *know* that if a worm puts up
> a popup that says "Enable port 33493 on your firewall for naked pics of.."
> that port 33493 will get opened anyhow, so we may as well automate the
> process and save everybody the effort.
Not if the victim doesn't have rights on the firewall (e.g. enterprise).
Simon
--
DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
vCard 4.0 --> http://www.vcarddav.org
