**** BEGIN LOGGING AT Wed Oct 31 02:59:57 2007
Oct 31 04:36:57 <dhr> farnz: I think I agree with ou on 2535.  Only supporting NAT is astonishing to me.  I have a /24 routed into my home.  I don't use OpenWRT as my gateway yet but I'm considering it.
Oct 31 04:38:31 <dhr> I'm also expecting to have some VPN tunnels and they need to be firewalled "appropriately".
Oct 31 04:40:00 <dhr> BTW, NAT functions as a bit of a firewall: it prevents outside initiation of TCP.  When you don't have NAT, some more threats exist.  So firewall policy should be reviewed in light of no-NAT.
Oct 31 07:49:49 <farnz> dhr: The firewall is default-deny inbound, default-allow outbound in the absence of NAT.
Oct 31 07:57:39 <farnz> dhr: And it doesn't prevent outside initiation of TCP; if I know your internal addresses, and can route to them (so probably work for your ISP if you're using RFC1918 space), I can initiate connections from outside unless there's a firewall in place.
Oct 31 07:57:51 <farnz> dhr: The default deny firewall that OpenWRT sets up is good enough to stop that.
Oct 31 09:33:42 <cardone> who is dealing with the openWRT web site?
Oct 31 13:06:33 <CIA-23> nbd * r9466 /trunk/package/madwifi/ (23 files in 2 dirs): update madwifi to latest version (fixes #2403)
Oct 31 13:48:32 <slapin> hi, all!
Oct 31 13:48:40 <slapin> ejka_, hi!
Oct 31 15:57:40 <dhr> farnz: how can one initiate to something behind NAT?  Source routing?  I thought that was always disabled in modern systems.
Oct 31 15:58:19 <farnz> dhr: For sake of illustration, assume an ADSL system. You control your ADSL modem, I control the DSLAM.
Oct 31 15:58:44 <farnz> dhr: I configure the DSLAM to route packets to your internal addresses to your ADSL modem, then just rely on normal routing.
Oct 31 16:00:03 <farnz> dhr: Note the obvious oversimplification of the network setup, but you get the idea.
Oct 31 16:00:07 <dhr> certainly any firewalls rulesets I've built drop packets not addressed to their (external) addresses.  Isn't that normal?
Oct 31 16:00:17 <farnz> That's the firewalling, not the NAT.
Oct 31 16:00:45 <dhr> true.  I guess I just assumed it would be done.
Oct 31 16:01:20 <dhr> equivalent: don't have forwarding rule for non-routable addresses.
Oct 31 16:03:18 <farnz> Not good enough in a router.
Oct 31 16:03:48 <farnz> In the absence of a firewalling stopping it, a router will pass packets from ppp0 to eth0 if the source is reasonable for ppp0 (for some value of reasonable), and the destination is eth0.
Oct 31 16:05:36 <farnz> For example, anyway.
Oct 31 16:06:11 <farnz> The thing that vaguely helps with NAT is that if eth0 is 10.0.0.0/8, the chances of a random attacker getting a packet destined to eth0 to ppp0 are low.
Oct 31 16:14:26 <dhr> in my router/firewall, I only forward "reasonable" things (these are forwarding rules).  So even if I turned off firewalling, what you describe won't happen.  This is of course not to say that other router implementations would be like mine.
Oct 31 16:15:02 <farnz> So you don't have IP forwarding enabled?
Oct 31 16:15:32 <farnz> By default, certainly under Linux, if you've got two network interfaces and IP forwarding enabled, it'll forward packets from one interface to the other if addresses match.
Oct 31 16:16:42 <farnz> Obviously, if your router doesn't route unless it has explicit instructions to do so, it'll be OK, but that's not NAT, that's restricted routing.
Oct 31 16:16:59 <dhr> oops.  You are right.  I've got the terminology mixed up.  These are firewall rules on the forwarding chain.  Duh.  Sorry.
Oct 31 16:18:20 <farnz> dhr: I suspect people get confused because it's very, very rare to see NAT without firewalling (mostly because you have to solve all the hard firewalling problems to do NAT).
Oct 31 16:18:39 <dhr> but I think it can done by routing.  What we used to call "advanced routing".
Oct 31 16:19:12 <farnz> You can do a form of firewalling by routing.
Oct 31 16:20:00 <farnz> Basically, carefully controlled routing tables to only let the traffic you want through.
Oct 31 16:26:48 <dhr> I only maintain one firewall.  And it has evolved slowly as I moved it from ipfilter to ipfwadm to ipchains to iptables over the years.
Oct 31 16:29:35 <CIA-23> pavlov * r9467 /packages/net/l7-protocols/Makefile: update l7-protocols to 10-10-2007
Oct 31 20:22:00 <CIA-23> juhosg * r9468 /trunk/package/iptables/Makefile: [packages] iptables: update description of the iptables-mod-ipopt
Oct 31 21:13:35 <CIA-23> pavlov * r9469 /packages/net/l7-protocols/ (5 files in 2 dirs): add testing for l7 filters, and modify it so that it actually works
Oct 31 21:14:27 <CIA-23> pavlov * r9470 /trunk/package/busybox/Makefile: forgot to bump up the release version from the patches the other day
Oct 31 22:37:59 <CIA-23> nbd * r9471 /trunk/include/package.mk: fix default downloads from svn
Oct 31 22:52:29 <massoud> sudo reboot
Oct 31 23:27:57 <CIA-23> nbd * r9472 /trunk/scripts/metadata.pm: indent custom package config code
**** ENDING LOGGING AT Thu Nov 01 02:59:57 2007