Valdis.Kletnieks@vt.edu wrote, on 2009-12-11 08:06:
On Fri, 11 Dec 2009 07:41:59 EST, Simon Perreault said:
Mark Newton wrote, on 2009-12-11 03:09:
You kinda do if you're using a stateful firewall with a "deny everything that shouldn't be accepted" policy. UPnP (or something like it) would have to tell the firewall what should be accepted.
That's putting the firewall at the mercy of viruses, worms, etc. The firewall shouldn't trust anything else to tell it what is good and bad traffic.
What you suggest?
That depends on the circumstances. UPnP is fine in some circumstances and wrong in others.
We *know* that if a worm puts up a popup that says "Enable port 33493 on your firewall for naked pics of.." that port 33493 will get opened anyhow, so we may as well automate the process and save everybody the effort.
Not if the victim doesn't have rights on the firewall (e.g. enterprise). Simon -- DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca vCard 4.0 --> http://www.vcarddav.org