On Monday 08 April 2002 16:29, Brian J. Murrell wrote: > On Mon, Apr 08, 2002 at 11:16:38AM +0200, Harald Welte wrote: > > I totally agree. Of course those 'orders' would need to go through some > > firewall-admin defined policy, before hitting netfilter/iptables. > > If it is indeed possible to do this. How does the UPnP determine for > what purposes a client request is being made? If the answer is "well > the client says what it is for" then again, that is useless. > > When a certain application is excluded from the security policy it > will be changed to announce itself as something different -- something > that is allowed -- not at all unlike all of the applications that were > made to tunnel through HTTP to be able to circumvent the firewall.
Brian you always wrote about trusting your clients. <sarcastic> If you do not trust your clients don't connect them to the internet. </sarcastic> How do you know in detail what your clients send or receive over connections to port 80? I assume that nearly all readers of this mailing list would be able to write trojans which sends all your confidental compay data through firewalls or even ALGs. I don't want to say that your worries are needless, but on all security ascpects you also have to think about the usability aspect. If you don't all your internet traffic will be tuneld through http an you can trow away your packet filter. At our FCP project we trust our proxy or server not the clients direct. But it is clear that the clients can also cheat our proxy if they want. But i also agree with you that lots of windows clients requesting ports on our firewall without any checks is a nightmare. Regards Nils Ohlmeier
