3 Feb
2011
3 Feb
'11
1:24 a.m.
On Thu, Feb 3, 2011 at 12:18 AM, Jay Ashworth <jra@baylink.com> wrote:
Complexity of the configuration vastly increases the size of the attack surface: in a NATted edge network, *no packets can come in unless I explicitly configure for them*; there are any number of reasons why an equivalently simply assertion cannot be made concerning the configuration of firewalls, of whatever type or construction.
I've always wondered how many consumer-grade routers aren't actually doing this, and the fact that they don't do this is masked by the use of RFC1918 addresses on the internal side of the router. (Linux with netfilter won't, by default, unless you change the default ACCEPT policy, or add a specific rule to block incoming packets.)