nanog mailing list archives

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

From: Simon Perreault <simon.perreault () viagenie ca>
Date: Fri, 11 Dec 2009 08:26:57 -0500

Valdis.Kletnieks () vt edu wrote, on 2009-12-11 08:06:

On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said:

Mark Newton wrote, on 2009-12-11 03:09:

You kinda do if you're using a stateful firewall with a "deny
everything that shouldn't be accepted" policy.  UPnP (or something
like it) would have to tell the firewall what should be accepted.


That's putting the firewall at the mercy of viruses, worms, etc. The firewall
shouldn't trust anything else to tell it what is good and bad traffic.


What you suggest?


That depends on the circumstances. UPnP is fine in some circumstances and wrong
in others.

We *know* that if a worm puts up
a popup that says "Enable port 33493 on your firewall for naked pics of.."
that port 33493 will get opened anyhow, so we may as well automate the
process and save everybody the effort.


Not if the victim doesn't have rights on the firewall (e.g. enterprise).

Simon
-- 
DNS64 open-source   --> http://ecdysis.viagenie.ca
STUN/TURN server    --> http://numb.viagenie.ca
vCard 4.0           --> http://www.vcarddav.org

Current thread:

Re: Consumer Grade - IPV6 Enabled Router Firewalls., (continued)
- - - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mehmet Akcin (Dec 02)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 02)
  - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Bill Fehring (Dec 02)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Seth Mattinen (Dec 02)
  - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Michael Loftis (Dec 10)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 10)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 10)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Valdis . Kletnieks (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 12)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mikael Abrahamsson (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 13)
    - Re: Consumer Grade - IPV6 Enabled Router Firewalls. Michael Loftis (Dec 13)

(Thread continues...)