[ previous ] [ next ] [ threads ]
 
 From:  "Bart Smit" <bit at pipe dot nl>
 To:  "Andres Petralli" <apetralli at icu dot unizh dot ch>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] UPNP
 Date:  Tue, 25 Oct 2005 12:00:40 +0200 (CEST)
Andres, list,

> Given this, I would say that uPNP could be a very nice "feature" for
> those users. Of course some people might think of it as a "security
> hole" but if it's not enabled by default and can only be turned on by
> people who know what they are doing (I would say those who install a
> m0n0wall should already know what they are doing) then it can be
> considered as a "safe" feature.

I have been witnessing the uPNP discussion for some time now, and
there's an aspect that was not yet mentioned I think:

Supporting flawed protocols goes a long way towards aiding their
acceptance. If firewalls generally support uPNP, there is no barrier
anymore against its use. Is this something m0n0wall wants to do? Do we
really want to remove friction for uPNP? I thought that "educating
users" was rather high on the list of essential security measures.

Now don't give me the "but everybody else is doing uPNP", because I
don't buy it. If little Johnny would jump into the river, would you
too?

I'd suggest we steer clear of, and take an unforgiving stance towards
bad security.

--Bart