nanog mailing list archives

Re: quietly....

From: Nicholas Suan <nsuan () nonexiste net>
Date: Thu, 3 Feb 2011 01:24:47 -0500

On Thu, Feb 3, 2011 at 12:18 AM, Jay Ashworth <jra () baylink com> wrote:

Complexity of the configuration vastly increases the size of the
attack surface: in a NATted edge network, *no packets can come in
unless I explicitly configure for them*; there are any number of
reasons why an equivalently simply assertion cannot be made concerning
the configuration of firewalls, of whatever type or construction.


I've always wondered how many consumer-grade routers aren't actually
doing this, and the fact that they don't do this is masked by the use
of RFC1918 addresses on the internal side of the router. (Linux with
netfilter won't, by default, unless you change the default ACCEPT
policy, or add a specific rule to block incoming packets.)

Current thread:

Re: quietly...., (continued)
- - - Re: quietly.... Jay Ashworth (Feb 02)
    - Re: quietly.... Matthew Palmer (Feb 02)
    - Re: quietly.... Owen DeLong (Feb 02)
    - Re: quietly.... Jack Bates (Feb 03)
    - Re: quietly.... Owen DeLong (Feb 02)
    - Re: quietly.... Jay Ashworth (Feb 03)
    - Re: quietly.... Jimmy Hess (Feb 02)
    - Re: quietly.... Jay Ashworth (Feb 02)
    - Re: quietly.... Jimmy Hess (Feb 02)
    - Re: quietly.... Nicholas Suan (Feb 02)
    - Re: quietly.... Nicholas Suan (Feb 02)
    - Re: quietly.... david raistrick (Feb 03)
- Re: quietly.... Owen DeLong (Feb 01)
  - Re: quietly.... Carlos M. Martinez (Feb 01)
- Re: quietly.... Owen DeLong (Feb 01)
- Re: quietly.... Mark Andrews (Feb 01)
- Re: quietly.... Jack Bates (Feb 01)
  - Re: quietly.... Jared Mauch (Feb 01)
    - Re: quietly.... Jack Bates (Feb 01)
- Re: quietly.... Brandon Butterworth (Feb 02)
- Re: quietly.... Tim Franklin (Feb 02)

(Thread continues...)