> > The 'official' IETF approach on how to NAT SIP/SDP is that you have to > > run some SIP proxy, which communicates the to-be-opened port and NAT > > mappings > > over some protocol (formerly FCP, firewall configuration protocol) to > the > > firewall. > > And how is the SIP proxy any safer that allowing it through the server? > They're both going to relay the same information back to the inside > machine, and if the SIP Proxy isn't watching for Trojan horses, what's > to say it won't get through anyway? The fact is some OS's ARE indeed > insecure, but we don't always have that choice now do we.
The difference is that a SIP proxy will only allow stuff that looks like SIP through the firewall. This UPnP protocol looks like it will allow pretty much anything, including the ability to expose an internal machine's listen sockets to the outside world and thus be effectively in front of the firewall. > Like I said before it's easy to write this off as just too insecure. > But since when has the open source community said we don't want to > provide choices? I don't know about all of you, but I really don't care > if my infamous OS is open to attacks through these ports. What's the > alternative? Having to pull it out from behind the firewall completely > leaving EVERY port open to compromise? Choices are good, yes. If you want this UPnP thing, I don't think anyone will fault you for writing it. But I don't think many people here will jump on board and help you, either. It sounds like a very insecure and dangerous protocol. -- Unplug and get connected: http://www.seattlewireless.net/
