[OpenWrt-Devel] OpenWRT IPv6 firewall
David Lang
david at lang.hm
Fri Jul 18 19:08:02 EDT 2014
On Fri, 18 Jul 2014 11:06:18 +0200, Gert Doering wrote:
> Hi,
>
> On Thu, Jul 17, 2014 at 12:07:57PM -0400, Soren Harward wrote:
>> the worst case scenario is that the user's machine gets compromised.
>
> This is an extreme likely case, but it will not happen by a network
> based attack.
It won't happen by a network based attack from the outside in IPv4
because inbound connection from IPv4 are blocked.
> Compromises these days on end hosts happen due to garbage
> the users click on (in mail, in web sites, etc.), much less due to
> network attacks (because client systems have become more robust to
> these,
> and they all come with a host firewall by default today).
desktop OSs may have become more robust (I think this is debatable),
but my point is that the upcoming flood of other devices is not secured
against network attacks.
> So always assume that the compromised host is already *in* your
> network,
> and then re-evaluate your router firewall requirements.
The thing is that by dropping your perimeter firewall, you make
everyone in your area be "in your network"
Yes, there will be some attacks that get through and start from the
inside, but there are far fewer that get into my network than to get
into the network of everyone I share an ISP with.
I also don't want these random external users to be eating up my
wireless bandwidth hammering uselessly against my devices, even if they
will withstand the hammering.
go do a tcpdump of your WAN interface some time, look at all the
attacks that are going on there (especially with an ISP that's not
blocking it for you)
If nothing ever got compromised from network attacks, the malware
wouldn't bother trying them.
David Lang
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list