[145166] in North American Network Operators' Group
Re: Synology Disk DS211J
daemon@ATHENA.MIT.EDU (Matthew Palmer)
Fri Sep 30 02:20:19 2011
Date: Fri, 30 Sep 2011 16:18:44 +1000
From: Matthew Palmer <mpalmer@hezmatt.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <4E852502.9070007@bogus.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote:
> On 9/29/11 17:46 , Robert Bonomi wrote:
> >> From: Nathan Eisenberg <nathan@atlasnetworks.us>
> >> Subject: RE: Synology Disk DS211J
> >> Date: Thu, 29 Sep 2011 21:58:23 +0000
> >>
> >>> And this is why the prudent home admin runs a firewall device he or she
> >>> can trust, and has a "default deny" rule in place even for outgoing
> >>> connections.
> >>>
> >>> - Matt
> >>>
> >>>
> >>
> >> The prudent home admin has a default deny rule for outgoing HTTP to port
> >> 80? I doubt it.
> >>
> >
> > No, the prudent nd knowledgable prudent home admin does not have default deny
> > rule just for outgoing HTTP to port 80.
> >
> > He has a defult deny rule for _everything_. Every internal source address,
> > and every destination port. Then he pokes holes in that 'deny everything'
> > for specific machines to make the kinds of external connections that _they_
> > need to make.
>
> Tell me how that flys with the customers in your household...
Perfectly fine. My users know not to go plugging random devices in, and I
properly configure the firewall to account for all legitimate traffic before
the device is commissioned.
- Matt
