Comment by the8472
At least there's an explicit standard for signalling: RFC 6887 Port Control Protocol. Many routers also support it.
But it's often disabled for the same reason as having router-level firewalls in the first place.
At least there's an explicit standard for signalling: RFC 6887 Port Control Protocol. Many routers also support it.
But it's often disabled for the same reason as having router-level firewalls in the first place.
> Ingress being disabled doesn’t really net you all that much nowadays when it comes to restricting malware.
But how much of this is because ingress is typically disabled so ingress attacks are less valuable relative to exploiting humans in the loop to install something that ends up using egress as part of it's function.
> But it's often disabled for the same reason as having router-level firewalls in the first place.
Yeah, anything that allows hosts to signal that they want to accept connections, is likely the first thing a typical admin would want to turn off.
It’s interesting because nowadays it’s egress that is the real worry. The first thing malware does is phone home to its CNC address and that connection is used to actually control nodes in a bot net. Ingress being disabled doesn’t really net you all that much nowadays when it comes to restricting malware.
In an ideal world we’d have IPv6 in the 90’s and it would have been “normal” for firewalls to be things you have on your local machine, and not at the router level, and allowing ports is something the OS can prompt the user to do (similar to how Windows does it today with “do you want to allow this application to listen for connections” prompt.) But even if that were the case I’m sure we would have still added “block all ingress” as a best practice for firewalls along the way regardless.