Archived from groups: comp.security.firewalls (More info?)
I was reading some posts over on the DSLReports forums. The discussion was
about firmware and the Port 113 issues. You know stealth vs closed, blah,
blah, blah. One guy responded with something that seemed curious to me so I
thought I'd post it here to see if this was correct. Seems to defeat the
purpose of forwarding to a non existant address in the first place.
****************************************************************************
I'm using 1.45.7 on the "41" without any issues -- when I forward port 113,
I forward it to an active address [WinPC] that does not have the port bound
to any service. I use a PC because using a non-existent address causes two
issues that I want to avoid...
First, a packet forwarded to a non-existent [inactive] address will cause
the switch part of the LinkSys to forward the frame to ALL ports -- this
will effectively send the data [which, could very well be malicious] to all
PCs on my LAN -- the malformed or malicious packet will be recieved by all
PCs on the LAN -- this, in my opinion, is a security hole, if for no other
reason than it leaves your LAN open to flooding. On a switch, any IP address
that does not have a corresponding MAC address in the switch table will be
flooded to all ports -- you may as well use the LAN broadcast address -- a
bad thing, so make sure you know what you're doing.
****************************************************************************
I was reading some posts over on the DSLReports forums. The discussion was
about firmware and the Port 113 issues. You know stealth vs closed, blah,
blah, blah. One guy responded with something that seemed curious to me so I
thought I'd post it here to see if this was correct. Seems to defeat the
purpose of forwarding to a non existant address in the first place.
****************************************************************************
I'm using 1.45.7 on the "41" without any issues -- when I forward port 113,
I forward it to an active address [WinPC] that does not have the port bound
to any service. I use a PC because using a non-existent address causes two
issues that I want to avoid...
First, a packet forwarded to a non-existent [inactive] address will cause
the switch part of the LinkSys to forward the frame to ALL ports -- this
will effectively send the data [which, could very well be malicious] to all
PCs on my LAN -- the malformed or malicious packet will be recieved by all
PCs on the LAN -- this, in my opinion, is a security hole, if for no other
reason than it leaves your LAN open to flooding. On a switch, any IP address
that does not have a corresponding MAC address in the switch table will be
flooded to all ports -- you may as well use the LAN broadcast address -- a
bad thing, so make sure you know what you're doing.
****************************************************************************