Hi Vaeth, on Tue, Sep 16, 2008 at 07:54:43PM +0200, you wrote: > > I don't even see why you'd strictly need connection tracking to avoid > > attacks made possible by grossly misconfigured ISP routers. Your router > > knows that packets with a destination address of 10/8, 192.168/16 and > > the like have absolutely no business on the public internet so the only > > sensible behavior would be to just drop them. > > This also requires a special kind of router: Namely one which has a > physical way of distinguishing between the "dangerous" connection to > the net and your local network (if they are dynamic, this can also > sometimes be tricked). Of course, combined router/modems have this > separation practically "by definition".
I can only recall one router where this wasn't the case, my first weird
and wonderful DSL line in the Philippines :D Normally, why bother
routing if you can just physically connect the thwo networks and have
their traffic intermix?
> However, in any case it requires that the functionality you mention is
> implemented on the router and has no bugs and that the router cannot
> be compromised by other means.
Sure, if your router is compromised you're fuxx0red anyway. I was just
saying that in any halfway sane router these NAT problems are not an
issue. And with many routers running Linux today so you can even get a
shell and check iptables... :)
cheers,
Matthias
--
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665
pgpC3gaCIfo8p.pgp
Description: PGP signature
