[OpenWrt-Devel] OpenWRT IPv6 firewall

David Lang david at lang.hm
Fri Jul 18 19:08:02 EDT 2014

 On Fri, 18 Jul 2014 11:06:18 +0200, Gert Doering wrote:
> Hi,
> On Thu, Jul 17, 2014 at 12:07:57PM -0400, Soren Harward wrote:
>> the worst case scenario is that the user's machine gets compromised.
> This is an extreme likely case, but it will not happen by a network
> based attack.

 It won't happen by a network based attack from the outside in IPv4 
 because inbound connection from IPv4 are blocked.

> Compromises these days on end hosts happen due to garbage
> the users click on (in mail, in web sites, etc.), much less due to
> network attacks (because client systems have become more robust to 
> these,
> and they all come with a host firewall by default today).

 desktop OSs may have become more robust (I think this is debatable), 
 but my point is that the upcoming flood of other devices is not secured 
 against network attacks.

> So always assume that the compromised host is already *in* your 
> network,
> and then re-evaluate your router firewall requirements.

 The thing is that by dropping your perimeter firewall, you make 
 everyone in your area be "in your network"

 Yes, there will be some attacks that get through and start from the 
 inside, but there are far fewer that get into my network than to get 
 into the network of everyone I share an ISP with.

 I also don't want these random external users to be eating up my 
 wireless bandwidth hammering uselessly against my devices, even if they 
 will withstand the hammering.

 go do a tcpdump of your WAN interface some time, look at all the 
 attacks that are going on there (especially with an ISP that's not 
 blocking it for you)

 If nothing ever got compromised from network attacks, the malware 
 wouldn't bother trying them.

 David Lang
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list