Neil Bothwick wrote: > On Tue, 16 Sep 2008 17:29:16 +0200 (CEST), Vaeth wrote: > > > > If you are using NAT on the router, you have to explicitly forward > > > that port somewhere for it to work. [...] > > > > Except that this is not completely true [...] > > "So the router maintains a database of current connections
This is not true for a standard NAT router. Only special routers with additional functionality can do this. Not to mention that occassionally also bugs in the implementations of such routers are found (e.g. using DOS to attempt a database overflow is an attack which comes to mind in the "generic" case). In any case, it depends on how much you can trust the router, while if the port is not open on your machine you do not have such a risk at all. So why take an unnecessary risk? > In addition, the default rsyncd configuration with Gentoo uses a chroot > jail. Also a chroot jail is not a security feature: There are several ways known how to break out. Well, if you use grsecurity (hardened-sources), at least the most gapping security holes are closed in this respect, but also this is no guarantee and can hinder you when you have other uses for chroot. Not to speak that rsyncd introduces additional code anyway, which might also be vulnerable in an unexpected manner (e.g. in connection with a kernel bug or who-knows-what). > After all, isn't that exactly how Gentoo mirrors work? If you offer something on the net you have certainly an increased risk that the corresponding machine is compromised - every mirror administrator is aware of this (or at least he should be so). But there is no reason to take any such sort of risk in a network which is not supposed to offer services to other people.
