[136433] in North American Network Operators' Group
Re: quietly....
daemon@ATHENA.MIT.EDU (Nicholas Suan)
Thu Feb 3 01:26:31 2011
In-Reply-To: <1899106.4313.1296710323930.JavaMail.root@benjamin.baylink.com>
Date: Thu, 3 Feb 2011 01:24:47 -0500
From: Nicholas Suan <nsuan@nonexiste.net>
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Feb 3, 2011 at 12:18 AM, Jay Ashworth <jra@baylink.com> wrote:
> Complexity of the configuration vastly increases the size of the
> attack surface: in a NATted edge network, *no packets can come in
> unless I explicitly configure for them*; there are any number of
> reasons why an equivalently simply assertion cannot be made concerning
> the configuration of firewalls, of whatever type or construction.
>
I've always wondered how many consumer-grade routers aren't actually
doing this, and the fact that they don't do this is masked by the use
of RFC1918 addresses on the internal side of the router. (Linux with
netfilter won't, by default, unless you change the default ACCEPT
policy, or add a specific rule to block incoming packets.)
