Hi Neil, on Tue, Sep 16, 2008 at 04:59:39PM +0100, you wrote: > > Except that this is not completely true: See some of the many articles > > in the net which explain why NAT is not a security feature. A quick > > google search gave e.g. > > http://www.nexusuk.org/articles/2005/03/12/nat_security/ > > "So the router maintains a database of current connections so that traffic > is always allowed through for them, and you can tell it to filter all new > connections made from the internet whilest allowing all new connections > made from inside the local network. This means that noone can make a > connection from the internet to one of your workstations, even though > they can route to its address." > > If the relevant ports are not forwarded in the router, this applies and > no one can make a new connection to your rsync server.
I don't even see why you'd strictly need connection tracking to avoid
attacks made possible by grossly misconfigured ISP routers. Your router
knows that packets with a destination address of 10/8, 192.168/16 and
the like have absolutely no business on the public internet so the only
sensible behavior would be to just drop them.
cheers,
Matthias
--
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665
pgp79947zvasg.pgp
Description: PGP signature
