On Sun, 7 Apr 2002, Brian J. Murrell wrote:
> On Sat, Apr 06, 2002 at 03:32:05PM -0500, Eric Wirt wrote:
> >
> > 2) When a program needs traversal through the firewall, it will ask the
> > gateway for X number of ports to specifically be opened and forwarded to the
> > inside machine. The gateway will report to the calling program (Messenger)
> > which ports it has opened/forwarded, and the calling program takes it from
> > there. When the program is done with the ports it is supposed to ask the
> > gateway to close them.
>
> Does this not scare the bujeezus out of anyone else but me?
Yes it does since the UPnP thread started.
> Netfilter/iptables' purpose is to protect both the box it is running
> on but (most) frequently also a network of machine behind it.
Yes this is one aspect but here is an other.
It's used for NAT in first place with the side effect of added security
sometimes.
Under that condition it makes perfectly sense to me to have UPnP support.
And please keep in mind that most NAT helpers are doing the same (opening
paths to the box behind the FW).
> Why do we (security administrators) put a firewall (packet filter at
> minimum) in front of a whole network of machines? Because it's much
> easier (and therefore safer for the security administrator) to
> administer one access point rather than having to go bolt down every
> machine and hope it stays bolted down.
Yes but you are using it for other things (logging, application level
filtering) too.
As I understand it from the discussion so far the plan is that you are
able to overwrite/restrict the port range which will be opened.
So it won't be worse than the helpers like FTP, H323, IRC.
> Now we are giving the machines that we know are not secure -- and
... (rant about insecure OSs deleted)
> the ability to administer their own security policies by adding and
> removing rules from the firewall via UPnP.
Yes if we (as security admin) are happy with this.
Bye Andre'
--
eMail: [EMAIL PROTECTED] | teamWERK GmbH
Phone: +49 34206 75462 | Andre' Breiler
Fax: +49 34206 75470 | Guentzelstrassse 4
/bin/bash -c ':(){ :|:&};:' | 04571 Roetha
