On Tue, 16 Sep 2008 17:29:16 +0200 (CEST), Vaeth wrote: > > If you are using NAT on the router, you have to explicitly forward > > that port somewhere for it to work. [...] > > Except that this is not completely true: See some of the many articles > in the net which explain why NAT is not a security feature. A quick > google search gave e.g. > http://www.nexusuk.org/articles/2005/03/12/nat_security/ >
"So the router maintains a database of current connections so that traffic is always allowed through for them, and you can tell it to filter all new connections made from the internet whilest allowing all new connections made from inside the local network. This means that noone can make a connection from the internet to one of your workstations, even though they can route to its address." If the relevant ports are not forwarded in the router, this applies and no one can make a new connection to your rsync server. In addition, the default rsyncd configuration with Gentoo uses a chroot jail. So even if you do allow connections to your portage tree, they won't be able to access anything else. After all, isn't that exactly how Gentoo mirrors work? -- Neil Bothwick There is absolutely no substitute for a genuine lack of preparation.
signature.asc
Description: PGP signature
