Extraneous Network Services Leave Home Routers Unsecure

← Back to Stories (view on slashdot.org)

Extraneous Network Services Leave Home Routers Unsecure

Posted by Soulskill on Saturday August 3, 2013 @10:00AM from the doing-it-wrong dept.

An anonymous reader writes "Today's home routers include a multitude of extra functionality, such as the ability to act as a file and print server. An article from CNET shows how an attacker can use vulnerabilities in these services, such as buffer overflows, directory traversal, race conditions, command injections, and bad permissions to take over the router from the local network without knowing the administrative password. Some of the worst vulnerabilities were in undocumented, proprietary services that users cannot disable and allowed an attacker to achieve a root shell. The researchers who discovered the vulnerabilities will be demonstrating them at the Wall of Sheep and Wireless Village at DEF CON."

63 comments

Min score:

Reason:

Sort:

A little late... by Em+Adespoton · 2013-08-03 10:14 · Score: 1

The researchers who discovered the vulnerabilities will be demonstrating them at the Wall of Sheep and Wireless Village at DEF CON."
Didn't DEFCON end yesterday?
1. Re:A little late... by Kufat · 2013-08-03 10:20 · Score: 1
  
  No, it ends tomorrow.
2. Re:A little late... by davester666 · 2013-08-03 11:25 · Score: 1
  
  Except this story was supposed to be posted on Monday.
  
  --
  Sleep your way to a whiter smile...date a dentist!
slownewsday by djupedal · 2013-08-03 10:15 · Score: 5, Interesting

Is anyone as tired as I am over these security risks, especially from CNET? I remember when it was announced that someone could spy thru your window, video tape the lights on your modem and decode your communication. Another day, another risk that only happens in either a lab, workshop or a marketer's imagination. 99% are just to attract eyeballs for ad revenue...especially from CNET.
1. Re:slownewsday by bill_mcgonigle · 2013-08-03 10:20 · Score: 4, Insightful
  
  I suppose there must've been some new attacks demonstrated. If it was against OpenWRT and its siblings, then probably I'd like to hear about it. All the other proprietary firmwares are assumed to be vulnerable by everybody who cares. Heck, there are still millions of devices running UPnP on the WAN port out there and "nobody" cares.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
2. Re:slownewsday by Anonymous Coward · 2013-08-03 11:24 · Score: 0
  
  I remember when it was announced that someone could spy thru your window, video tape the lights on your modem and decode your communication.
  I call category A Bullshit on that.
3. Re:slownewsday by flargleblarg · 2013-08-03 16:14 · Score: 1
  
  Is anyone as tired as I am over these security risks, especially from CNET? I remember when it was announced that someone could spy thru your window, video tape the lights on your modem and decode your communication.
  Videotape?!? That would not even work for 100 baud modems. An NTSC videotape will give you 60 fields per second; a PAL videotape will give you 50 fps.
4. Re:slownewsday by jones_supa · 2013-08-03 22:10 · Score: 1
  
  Also it would require that the lights actually represent the data going through the pipes. I think that's quite rarely the case.
5. Re:slownewsday by Anonymous Coward · 2013-08-04 08:35 · Score: 0
  
  Hyperbole is an important part of any media. You want hype and imagination? Try a 3D printer thread. Hoo boy.
6. Re:slownewsday by Anonymous Coward · 2013-08-06 01:47 · Score: 0
  
  IIRC, this was true with ethernet switchgear early on. Some switchgear would simply tie the "activity" LED directly to the data line, so with a fast enough camera, you could indeed record the flashing light and capture the data being sent.
Wall of Sheep by Anonymous Coward · 2013-08-03 10:18 · Score: 0

I was under the impression that the Wall of Sheep was a way to out those who came to Defcon with improperly secured devices, not show off hacks of "civilians" devices.
Simpler than that... by Anonymous Coward · 2013-08-03 10:25 · Score: 5, Interesting

LOADS of routers are pwned far more easily than that, from simple SQL injection (either via query string or crafting get/post requests), or there's sometimes bootloaders that give *full* access to the filesystem via TFTP (you can download all init scripts for example), you can sometimes find undocumented manufacturer backdoor passwords which are hard coded, and there's lots of misconfigured routers and you can often rely on trivial stuff like default passwords and what not. Even in 2013 there's lots of routers and similar equipment that are sold or configured in a state that isn't far from swiss cheese...
It's rather easy to poke at the firmware and finding holes using binwalk and IDA Pro if you have basic RE knowledge.
1. Re:Simpler than that... by davester666 · 2013-08-03 11:28 · Score: 1
  
  How many home-routers use SQL for their configuration?
  
  --
  Sleep your way to a whiter smile...date a dentist!
2. Re:Simpler than that... by Anonymous Coward · 2013-08-03 11:51 · Score: 0
  
  BerklyDB or sqllite are quite embeddable ...
3. Re:Simpler than that... by Anonymous Coward · 2013-08-03 11:55 · Score: 0
  
  Lots of them use SQLite for various things already, so it's not a bad idea to keep the credentials in there too. The problem isn't using SQL per se, it's stupidly using string concatenation which lets any 12yo script kiddies pwn it with something not far from entering ' or '1'='1 as the password... Not that it's a problem limited to routers. When you buy a cheapo router, it's not just the hardware they cheap out on, they often cut corners when it comes to the firmware -- and not just when it comes to security, it often also means having a buggy product.
4. Re:Simpler than that... by formfeed · 2013-08-03 16:08 · Score: 1
  
  ...often rely on trivial stuff like default passwords and what not. Even in 2013 there's lots of routers and similar equipment that are sold or configured in a state that isn't far from swiss cheese.....
  Yeah, but what are the chances that someone named their kid "admin" and that kid would then go and accidentally try to login on your router using its name also as password ?!
5. Re:Simpler than that... by Bert64 · 2013-08-04 03:07 · Score: 1
  
  Cheaping out on the firmware is a ridiculous thing to do... They would be better off not bothering with firmware at all, merely ensuring the hardware is compatible with dd-wrt or openwrt and shipping that.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
6. Re:Simpler than that... by Anonymous Coward · 2013-08-06 01:58 · Score: 0
  
  You clearly do not have children.
Requires physical access by DeathGrippe · 2013-08-03 10:30 · Score: 4, Informative

Attacker has to have access from the LAN side, and must install USB memory first.
The Jokes On Them! by Anonymous Coward · 2013-08-03 10:32 · Score: 2

The jokes on them because I use my neighbor's unsecured WiFi. I even use his pool when their not home. I'm a great neighbor.
1. Re:The Jokes On Them! by crutchy · 2013-08-03 11:15 · Score: 0
  
  The joke's on you because while you're using his pool he's using your wife.
2. Re:The Jokes On Them! by Anonymous Coward · 2013-08-03 11:36 · Score: 0
  
  Joke's on him; my wife's a mannequin!
3. Re:The Jokes On Them! by crutchy · 2013-08-03 19:24 · Score: 0
  
  oooh kinky
4. Re:The Jokes On Them! by ColdWetDog · 2013-08-04 01:29 · Score: 1
  
  Take my wif(i), please.
  
  --
  Faster! Faster! Faster would be better!
To be clear by Anonymous Coward · 2013-08-03 10:37 · Score: 5, Interesting

I looked at some of the source code, and the bash commands they execute, and it looks like you have to be on the local (class C) lan in order to attack at least the Linksys beast (the 192.168.blah.blah sure looks like you can't get there from the WAN side), and if you have the services turned off, then you might be less vulnerable, and if you use hard, non-trivial, non-default passwords, that makes it harder too. I suppose it also helps if you have a router acting as a DNS server, after your WAN facing gateway, and the local DNS box not acting as the main switch (so to sum up, Gateway-DNS-Switch), with everything after the gateway as a Class C lan.
1. Re:To be clear by dotancohen · 2013-08-03 23:26 · Score: 1
  
  I looked at some of the source code, and the bash commands they execute, and it looks like you have to be on the local (class C) lan in order to attack at least the Linksys beast (the 192.168.blah.blah sure looks like you can't get there from the WAN side), ...
  The javascript running in your browser has access from the LAN side. I have personally compromised my own home router by running Javascript on my public website as a proof of concept.
  
  --
  It is dangerous to be right when the government is wrong.
and that's why by bobstreo · 2013-08-03 10:54 · Score: 4, Insightful

routers should route and probably run access control lists and other firewall stuff like expose some ports in your dmz.
servers should serve.
Servers route poorly, routers serve poorly.
1. Re:and that's why by crutchy · 2013-08-03 11:18 · Score: 0
  
  the most important function of a router security-wise is NAT
  all the rest is fluff
2. Re:and that's why by Anonymous Coward · 2013-08-03 11:56 · Score: 0
  
  the most important function of a router security-wise is NAT
  all the rest is fluff
  That's not a function of the router, it's a function of the firewall.
3. Re:and that's why by EmperorArthur · 2013-08-03 13:32 · Score: 1
  
  That's not a function of the router, it's a function of the firewall.
  We wish. In reality, almost no home routers have a firewall. An unfortunate side effect of NAT is that it looks like a firewall that allows outbound traffic. That's the scary thing about IpV6. Most vendors just don't care.
  Plus, if the router doesn't work out of the box then plenty of users will just return it to the store. A firewall by its very nature is designed to prevent certain things from working. On a personal note, I can't wait to not have to worry about NAT traversal for VoIP.
  Another trend to watch is consolidation. No home owner buys a purely wired router any more. Also, plenty of new routers are built into the cable/dsl modem. Face it, the trend is for one box that does everything.
  
  --
  So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
4. Re:and that's why by ls671 · 2013-08-03 15:24 · Score: 1
  
  It's not because one uses iptables instead of route to do NAT on linux that commercial routers don't do NAT.
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
  
  --
  Everything I write is lies, read between the lines.
5. Re:and that's why by Anonymous Coward · 2013-08-03 15:28 · Score: 2, Insightful
  
  NAT does not equal security. NAT is not a function of the firewall either. NAT is a function of IPv4, because we would have run out of addresses long ago. A firewall whether stateful or not tracks connections and will deny erroneous ones. A firewall will inspect the packet to make sure it meets the necessary criteria. NAT does not. Please don't conflate the two.
6. Re:and that's why by Anonymous Coward · 2013-08-03 16:30 · Score: 0
  
  Or you properly isolate them from one another.
  Think FreeBSD jails. Last I heard, FreeBSD routes and serves perfectly..
7. Re:and that's why by unixisc · 2013-08-03 16:58 · Score: 1
  
  We wish. In reality, almost no home routers have a firewall. An unfortunate side effect of NAT is that it looks like a firewall that allows outbound traffic. That's the scary thing about IpV6. Most vendors just don't care.
  How is that a scary thing about IPv6? IPv6 so far does not support NAT. Regardless, as posters below stated, NAT is not a firewall, and an IPv6 that includes a firewall automatically takes care of this
  TFA - the vulnerabilities that they exposed - did they expose that in both IPv4 AND IPv6? I understand that in addition to the addressing, a lot of other things have changed in IPv6, which would seem to avoid some of the problems, such as buffer overflows. I'd be interested to know whether the same vulnerabilities exist if they were to try doing it in IPv6, as opposed to IPv4
8. Re:and that's why by crutchy · 2013-08-03 19:22 · Score: 0
  
  NAT is just a lookup table used to map addresses of incoming packets... it could be used for any type of addressing.
  its only security advantage is that if it runs into an incoming packet for which the source address doesn't map to a corresponding record in the lookup table, it drops the packet (notwithstanding port forwarding etc), so for home users it works pretty well cos only the packets responding to outboud requests get translated.
  of course the outbound requests could come from anything good or bad, which is where firewalls come into the picture (filtering protocols, ports, etc) but NAT is pretty useful as a gatekeeper.
  https://www.grc.com/nat/nat.htm
9. Re:and that's why by Anonymous Coward · 2013-08-03 20:47 · Score: 0
  
  No.. A router can support NAT. A firewall is about access control.
10. Re:and that's why by KingMotley · 2013-08-03 21:21 · Score: 1
  
  NAT does not equal security.
  NAT really shouldn't be used for security, but in actually, it does make networks more secure than without it, so to say it's not security is wrong. It's not great security.
  
  NAT is not a function of the firewall either.
  This is debatable, but more than likely most would view NAT being a part of the firewall. Firewalls do inspect packets and either forward them on or drop them depending on the rules set up. Doing NAT involves that same thing, but while inspecting outgoing packets you need to change the source ip and port, and then add a rule to incoming packets using the same source ip/port and destination ip/port (but reversed) to allow it and do a reverse translation. As the two functions, firewall and NAT basically require 95% of the same work, NAT is usually part of a firewall package.
  
  NAT is a function of IPv4, because we would have run out of addresses long ago.
  This is incorrect. First of all, NAT is not a function of IPv4. It's not limited to IPv4, nor even limited to the IP protocol. It became more popular on IPv4 networks because of many reasons, one of which was because of address scarcity, but also because ISP's were only handing out 1 IP address per subscriber. It was mostly used for that reason long before we were worried about running out of IP addresses, but became more prominent as that became an issue.
  
  A firewall whether stateful or not tracks connections and will deny erroneous ones.
  So do NATs.
  
  A firewall will inspect the packet to make sure it meets the necessary criteria.
  So do NATs.
11. Re:and that's why by unixisc · 2013-08-03 23:53 · Score: 1
  
  NAT is not a part of any protocol - in fact, the IETF routinely designs protocols that break NAT pretty willfully. Simple reason - NAT is just a patch to delay the address exhaustion of IPv4. Fix that issue, and NAT's not needed. Just add firewalls to IPv6 routers, and the same purpose will be served.
  Without breaking end-to-end connections between sources and destinations of internet traffic.
12. Re:and that's why by unixisc · 2013-08-03 23:55 · Score: 1
  
  Don't combine them, as the GP says. Use something like pFsense or m0n0wall for the routing, and FBSD for the services.
13. Re:and that's why by crutchy · 2013-08-04 20:01 · Score: 0
  
  NAT will still be required for ipv6 because for most of us ISPs will still (as with ipv4) only hand out a single public address per subscriber, so home and small business LANs will still need NAT regardless of whether they use ipv4 or 6
  it may also become standard practice for NAT routers to route ipv4 LAN packets to ipv6 for WAN transmission
  
  Just add firewalls to IPv6 routers, and the same purpose will be served.
  iptables can perform NAT and firewall functions, but good luck trying to get your typical Windows Defender type firewall to perform NAT. if NAT is arbitrarily removed from new generation ipv6 (generally iptables powered) router appliances, many LANs would be broken
DD-WRT / OpenWRT / Tomato / by Anonymous Coward · 2013-08-03 11:54 · Score: 0

And this one (of may) reason why you should flash your firmware and put a non vendor one on it. I did a review here: Security-Lessons-Linux-WAP/(language)/eng-US. The actual PDF is here 048-049_kurt.pdf
.
How to secure home routers by Anonymous Coward · 2013-08-03 12:34 · Score: 2

I just recently installed a wlan router at a friends place. The goal was to make it rock solid and secure.
Here is what I did:
- Changed default username and set very strong password
- Changed web admin interface to non default high port, allow only https
- Only allow access to the admin interface from a specific ip/mac address
- Disable telnet and ssh acces
- Disable print server and usb samba share
- Disable upnp and all vpn/ipsec passthrough
- Enable statefull firewall, connections must originate from inside lan, everything else does not pass the wan interface
- Disable dns cache and use the dns servers from the isp (served via dhcp)
- Enable wpa2 for wlan with max password length.
So far it sails smooth and no complains. No need to activate all these settings on the routers.
1. Re:How to secure home routers by ls671 · 2013-08-03 15:49 · Score: 1
  
  Problem is that some cheap routers keep the functionality alive even when you disable it!
  Some are notorious for being hackable with WPS even when the functionality is disabled:
  https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c
  
  --
  Everything I write is lies, read between the lines.
2. Re:How to secure home routers by Zebai · 2013-08-03 19:15 · Score: 1
  
  I don't really think there's a need to disable all that either. Personally for my home connection the only real security I need is to block all remote connections and prevent any administrative access from wifi. If i could set my router to not even require a password for LAN connections I would I need no such security to my computer hardwired to my network inside my locked home.
  I'm sure If I ran it on some larger network security is important, but the article does say HOME routers.
3. Re:How to secure home routers by Anonymous Coward · 2013-08-03 20:26 · Score: 0
  
  It's too bad he likes porn so much and his bad habits let java allow us to pwn his computer. We have all his passwords, and have already compromised the firewall from the inside interface (since you allowed all traffic from the LAN side). Currently his desktop serves out spam and the router you carefully set up serves up midget porn from another compromised squid proxy.
4. Re:How to secure home routers by Anonymous Coward · 2013-08-03 20:45 · Score: 0
  
  yes true, WPS should be disabled as well.
including wifi, so don't plug in USB by raymorris · 2013-08-03 17:31 · Score: 2

The LAN side access isn't difficult with WIFI, and the ATTACKER doesn't need to plug-in his own USB, having any USB plugged in will activate the unauthenticated SMB.

The take-home message, then, is don't plug USB storage into your router, and do use WPA2, not earlier WiFi security protocols.
1. Re:including wifi, so don't plug in USB by Bert64 · 2013-08-04 03:08 · Score: 1
  
  And some people plug their phones into the router because its a convenient always-on usb port for charging...
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
because NAT acts like a firewall, as a side effect by raymorris · 2013-08-03 17:38 · Score: 2

It's worrisome because although NAT is not designed to take the place of a firewall, in fact it often does. For home or SOHO users, it's actually reasonably good as a firewall. They "should" have better, you might argue, but in fact they don't, most often. IPv6 removes the need for NAT, possibly leaving many SOHO users with no firewall-like protection.
Re:because NAT acts like a firewall, as a side eff by tlhIngan · 2013-08-03 18:10 · Score: 2

It's worrisome because although NAT is not designed to take the place of a firewall, in fact it often does. For home or SOHO users, it's actually reasonably good as a firewall. They "should" have better, you might argue, but in fact they don't, most often. IPv6 removes the need for NAT, possibly leaving many SOHO users with no firewall-like protection.
You can have NAT with IPv6 - I believe there's even an RFC for it, and an implementation on FreeBSD. Linux did get patches that were rejected. Hell, there's even NAT-PT, which lets IPv4-only hosts access IPv6 only hosts (and vice-versa). Imagine that - we could switch and continue life as we know it, and don't care if we're talking to an IPv4 or IPv6 host.
NAT has an awesome advantage - it isolates your internal network numbering from the external network numbering. Many early RFCs on the early Internet were fixated around people having to renumber their networks because of conflicts in their network addressing, and enough people had trouble that they created the private address space so future networks will not have to undergo such renumberings and disruption.
It certainly would be nice to be isolated from my ISP's whims and wishes for most of my stuff on the network. Sure I'll have to deal with it for a few servers I have, but I'd rather do it for a few than for every.
Of course, the problem is the IPv6 fanboys who believe IPv6 means complete end-to-end connectivity again and that NAT has absolutely no use in an IPv6 world and even suggesting NAT impacts IPv6 "purity" that keeps IPv6 adoption from happening widely. Of course, end-to-end connectivity is broken anyways with proper firewalls (at least a program can detect private network access and assume firewall usage, but with IPv6, it's impossible).
And I'm sure people would prefer to have IPv6 to operate like IPv4 did with NAT as it's a lot less to learn and things work on IPv6 as they did with IPv4.
Re:because NAT acts like a firewall, as a side eff by Anonymous Coward · 2013-08-03 20:21 · Score: 0

NAT + stateful firewall ~= !NAT + stateful firewall. I.E., NAT gives you no more protection than a proper firewall would.
To the sec guys by Anonymous Coward · 2013-08-03 22:12 · Score: 0

For a change, why don't you tell me tips how to improve the security of my equipment, instead of going "naa-naa-na-naa-naa, there's this and that vulnerability in your gear".
1. Re:To the sec guys by Cederic · 2013-08-03 23:53 · Score: 1
  
  I'm not a 'sec guy' but for home routers:
  - upgrade your router firmware, often
  - disable services you don't need
  - use strong passwords
  - disable remote admin access
  - read articles like this one and understand where you're vulnerable despite all of the above. Research on the extent and severity of the risks and make an informed decision on whether you should purchase a separate dedicated firewall device (or two), on whether you should use another firmware or device because your existing router is just too risky and whether you should just pay someone else to do all of this for you if you're not able to do it yourself
  Telling you "there's this and that vulnerability in your gear" is a valuable service and it's not their fault that you lack the personal skills to benefit from it.
Who cares? They are local "attacks" by sirwired · 2013-08-03 23:52 · Score: 1

As long as it's only "vulnerable" to "attacks" from the local network, who really cares about vulnerabilities? It's a home router; I'm surprised home routers even have the ability to enforce things like directory permissions at all. I hardly need to "protect" my files from my wife; if she wants to read my stuff, she has much easier ways than launching a buffer overflow attack on my router.
If you want real security, buy something designed to care.
1. Re:Who cares? They are local "attacks" by Bert64 · 2013-08-04 03:03 · Score: 1
  
  XSRF attacks - i.e. redirecting your browser to issue requests to your internal router...
  Insecure wifi.
  Guests.
  Already infected mobile devices.
  Small hotels/cafes which provide wifi access using a small router like those described.
  Plenty of scope for malicious devices to get into your home network and be used to attack the router.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:because NAT acts like a firewall, as a side eff by unixisc · 2013-08-03 23:54 · Score: 1

It's worrisome because although NAT is not designed to take the place of a firewall, in fact it often does. For home or SOHO users, it's actually reasonably good as a firewall. They "should" have better, you might argue, but in fact they don't, most often. IPv6 removes the need for NAT, possibly leaving many SOHO users with no firewall-like protection.
That is tangential to the question of whether IPv6 comes with or without a firewall. Any router that's worth anything comes with a firewall. Regardless of whether it has NAT or not. !NAT != !Stateful_firewall.
On the question of this story, I do agree with bobstreo - routers should route and servers should serve i.e. routers shouldn't have things like FTP, SCP, SSH, SMTP, IMAP/POP or any other servers on it. It should have 2 and only two functions - routing traffic from one network to another, and providing a filter on the traffic that comes into the LAN that's behind it. Beyond that, nothing. One way could be to, as some have suggested, put something like pFsense, m0n0wall or OpenWRT
Signed updates... by Bert64 · 2013-08-04 03:00 · Score: 1

One of the recommendations is that manufacturers use signed updates... This won't help with issues like those disclosed, and may even make it worse...
The primary reason for including signed updates is to prevent third party firmware from being used, it does nothing to stop the official firmware from having security holes, and it's very unlikely that a hacker is going to completely reflash the device to run a custom firmware rather than backdooring the existing firmware. On the other hand, manufacturers generally only support these devices with official firmware updates for a very short period of time if at all, so third party firmware may be the only way to fix some of these holes.

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Fuck WIFI by WOOFYGOOFY · 2013-08-04 03:22 · Score: 1

Look if you don't have to have WIFI at home then don't.
You can buy a USB to rj45 adapter for any device. Buy an 8 or 12 port switch, locate it centrally, run short cords from there to multiple jacks in rooms and from there have short cords available for plugin. Done. Use different color cords for devices in close proximity just to make it easy to trouble shoot.
Its clean, it's convenient you can scale it up as you need and you don't have to worry about all the bad programming bugs that WIFI routers are sporting.
1. Re:Fuck WIFI by Chrontius · 2013-08-04 10:48 · Score: 1
  
  And my Chromecast has a USB port? Actually, it does. But it's a power sink, not a power source, so you'd need some kind of weird PoE injector/receiver/USB-to-Ethernet device, and pray that the Chromecast can talk to an ethernet adapter over that USB port. I don't even know if USB OTG lets a device be a power source and a data sink.
  
  What about my iPad? Am I to buy $60 in hardware and hope the camera kit will talk to an Apple ethernet-to-USB adapter (if you can still find that discontinued adapter)? What about the Nest thermostat? Where do I plug in the USB port?
pfsense by n3r0.m4dski11z · 2013-08-04 06:17 · Score: 1

Pfsense and a computer with two network cards is all you need. Pick up a used cisco access point and add a 3rd nic for wireless.
Rock soild, Guaranteed no back doors. Installs in less than 15 minutes from cd. Dependability based BSD and the parts you put in it. Get a cheap core2duo era xeon 1u server for 100 bucks, and make it look even slicker

--
-
1. Re:pfsense by airdweller · 2013-08-06 10:57 · Score: 1
  
  Or, better, a m1n1wall for $200-something. Set it up. Connect your router.
i tire of the scares by Anonymous Coward · 2013-08-04 06:48 · Score: 0

and my router is as secure as the zipper on my fly
Re:because NAT acts like a firewall, as a side eff by unixisc · 2013-08-04 07:11 · Score: 1

Firewalls have nothing to do w/ end to end connectivity. End to end connectivity simply means that the source or destination addresses are not tampered with while the packets are en route - something that's violated in NAT. A packet can go from a source to a destination, and get dropped by the firewall if it violates certain rules, but that doesn't mean that end to end connectivity is not there.
NAT-PT is not about IPv4-IPv6 connectivity - it's just about bringing certain features, such as load balancing, to IPv6 - that's one of the rare benefits to NAT. Also, in NAT-PT, there is a 1:1 relationship between the public address and link-local address, unlike in IPv4, where a 1:many relationship was needed due to address shortage.