On Sat, 2005-12-17 at 04:45 -0500, Sean wrote:
Well Fedora could help the situation by making sure its default bt client supports UPnP so that a compliant nat router (like most linksys) will automatically be configured without the user needing to deal with it at all.
I would rather hope not. I like to think that Fedora systems are relatively secure by default, and running applications in default manners won't change that. Having upnp on by default can lead to randomly open ports for forwarding and that is not a good thing. Goes against the whole ideal of secure by default.
On Sat, December 17, 2005 2:15 pm, Jesse Keating said:
I would rather hope not. I like to think that Fedora systems are relatively secure by default, and running applications in default manners won't change that. Having upnp on by default can lead to randomly open ports for forwarding and that is not a good thing. Goes against the whole ideal of secure by default.
Actually it's more about working-by-default. There is nothing insecure about providing port-forwarding access to the bit-torrent client while it is active. Especially since the forwarding is disabled when the application is turned off. For those who truly object to this, UPnP can be disabled on the router.
Sean
On 12/17/05, Sean seanlkml@sympatico.ca wrote:
Actually it's more about working-by-default. There is nothing insecure about providing port-forwarding access to the bit-torrent client while it is active. Especially since the forwarding is disabled when the application is turned off. For those who truly object to this, UPnP can be disabled on the router.
I don't think the issue is the bittorrent client specifically. The has to do with whether or not the local firewall should be trusting these kind of requests for port opening from applications generally.. without knowledge as to purpose or intent. Whose to say that the next application to need this functionality isn't doing so for malicious means.
-jef
On Sat, December 17, 2005 2:30 pm, Jeff Spaleta said:
I don't think the issue is the bittorrent client specifically. The has to do with whether or not the local firewall should be trusting these kind of requests for port opening from applications generally.. without knowledge as to purpose or intent. Whose to say that the next application to need this functionality isn't doing so for malicious means.
Well we're talking about two different things here. One is the local firewall rules, lets set that aside for a moment. The other is the use of auto-port-forwarding on a nat router connecting a home network to the internet. My contention is it's not our job to decide the policy on this. We should use the facility if it is enabled on the router. For those who don't agree with this functionality they can shut it off.
And really, without a corresponding change to the firewall rules on the local machine the port forwarding on the router has __0 effect__. Because any packets forwarded to the local machine will still be rejected by the firewall.
Sean