[OpenWrt-Devel] OpenWRT IPv6 firewall

Gert Doering gert at greenie.muc.de
Sat Jul 19 16:17:14 EDT 2014


On Fri, Jul 18, 2014 at 04:08:02PM -0700, David Lang wrote:
> Yes, there will be some attacks that get through and start from the 
> inside, but there are far fewer that get into my network than to get 
> into the network of everyone I share an ISP with.
> I also don't want these random external users to be eating up my 
> wireless bandwidth hammering uselessly against my devices, even if they 
> will withstand the hammering.

In that case, you should ask your *ISP* to install the filter - after
all, you wouldn't want them to eat up your WAN bandwidth, no?

> go do a tcpdump of your WAN interface some time, look at all the 
> attacks that are going on there (especially with an ISP that's not 
> blocking it for you)

I'm well aware of all the bullshit that is knocking on my doors all
day.  Point is, firewalls on the *routers* are not goint to help the
laptop that moves around, attaches to a Wifi Hotspot, is hacked there,
gets moved back behind your firewall, and starts hacking others from
there.  And it doesn't help the desktop PC that neglected to do any
updates, gets infected by flash/pdf/word exploit, and starts scanning
your network, behind the firewall.

These things are all so commonplace that the firewall on the router adds
dubious value - but at the same time, it breaks stuff.  So if you have to
decide about something that adds little positive but significant negative,
why would you go for enabling it, except for "we've done it that way for
the last 20 years?"

And yes, I do agree that too many software and hardware vendors have no
clue how to properly secure their systems.  Will it help hide them behind
a magic firewall, until they get hacked via proxy (there *will* be a
hacked machine behind that firewall), or will it help more to expose them,
*get* them hacked, raise a big fuzz in the press about, say, printer 
vendor XYZ being too stupid to get their firmware right, and get it
actually *fixed*, instead of having a time bomb in your network?

> If nothing ever got compromised from network attacks, the malware 
> wouldn't bother trying them.

Serves get compromised from network attacks all day.  Unfortunately, 
servers usually sit behind firewalls that permit just those ports that
enable the attacks, like "php based attack du jour" or "sip attacks on
weak credentials", etc.

To turn that argument around: why are bots mailing me infected documents,
or trying to lure me into web sites that contain malware if network attacks
are so successful?

(But anyway - I already stated far upthread that this is one of the threads
where people will not listen and stick to their religion anyway.  So I 
should spend my time coding instead)

USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140719/1602f982/attachment.sig>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list