Mark Newton wrote, on 2009-12-11 03:09:
You kinda do if you're using a stateful firewall with a "deny everything that shouldn't be accepted" policy. UPnP (or something like it) would have to tell the firewall what should be accepted.
That's putting the firewall at the mercy of viruses, worms, etc. The firewall shouldn't trust anything else to tell it what is good and bad traffic.
Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen. If you make it "smart" (i.e. UPnP) then it will of course autoconfigure itself for an appropriate virus. However, your average home user often doesn't change their $FOOGEAR password from the default of 1234, and it is reasonable to assume that at some point, viruses will ship with some minimal knowledge of how to "manually" fix their networking environment. Or better yet? Runs a password cracker until it figures it out, since the admin interfaces on these things are rarely hardened. If you actually /do/ a really good firewall, then of course users find it "hard to use" and your company takes a support hit, maybe gets a bad reputation, etc. There's no winning. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.