On Monday 08 April 2002 18:03, Nils Ohlmeier wrote: > Brian you always wrote about trusting your clients. <sarcastic> If > you do not trust your clients don't connect them to the internet. > </sarcastic> How do you know in detail what your clients send or > receive over connections to port 80? I assume that nearly all > readers of this mailing list would be able to write trojans which > sends all your confidental compay data through firewalls or even > ALGs.
I agree. Writing a trojan that opens a backdor into your network using random HTTP requests to random (hacked) hosts on the Internet is not very complex, and can be made in such manner that it cannot easily be spotted in the "normal" HTTP noice. If you are in the situation that trojans are likely to be executed on your client computers then you are fucked. Period. Any security scheme discussed in precense of trojans widespread on the client computers is pointless, except unplugging and powering off all computers and ask the users to go back to use pen and paper (oldfashion typewriters is also OK). But this thread is about how we can provide UPnP port mapping within iptables/netfilter in a sensible manner, not how poor the reality of Internet security actually is when you do not trust your clients at all. I say providing UPnP with a adequate level of security for the scope where UPnP is useful is entirely possible. >From what have been told by Brian Murrel about his network I don't think UPnP is anything he should or need to be running. The scope of UPnP port mapping is relatively small networks with a NAT gateway and no internal routers. For anything outside this scope the protocol is highly unsuitable by design. As a rule of thumb one can say that if you have a NAT:ed network where it is likely more than one client at a time needs to run the same application requiring inverse-NAT for incoming connections then UPnP is likely not the tool for the job. If you don't have a NAT:ed network, then UPnP port mapping plays no role. Regards Henrik
