valdis.kletni...@vt.edu wrote, on 2009-12-11 08:06: > On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said: >> Mark Newton wrote, on 2009-12-11 03:09: >>> You kinda do if you're using a stateful firewall with a "deny >>> everything that shouldn't be accepted" policy. UPnP (or something >>> like it) would have to tell the firewall what should be accepted. >> >> That's putting the firewall at the mercy of viruses, worms, etc. The firewall >> shouldn't trust anything else to tell it what is good and bad traffic. > > What you suggest?
That depends on the circumstances. UPnP is fine in some circumstances and wrong in others. > We *know* that if a worm puts up > a popup that says "Enable port 33493 on your firewall for naked pics of.." > that port 33493 will get opened anyhow, so we may as well automate the > process and save everybody the effort. Not if the victim doesn't have rights on the firewall (e.g. enterprise). Simon -- DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca vCard 4.0 --> http://www.vcarddav.org
