From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>
Subject: Re: Hairpin NAT - possible without packet marking?
Date: Tue, 4 Jul 2017 03:07:39 -0400
Message-ID: <20170704030739.3746d533@playground>
References: <1363a246-966e-59fc-7d5a-efaf12aa6b51@dynator.no>
        <4c60ba2e-3e52-f55d-96e1-699c7821940d@pobox.com>
        <ea023673-d0c6-f8d8-0399-203a71e7fa62@trustiosity.com>
        <6773e78c-f0e6-508d-0a72-d5880705756d@pobox.com>
        <a3219c0b-2e2e-74d3-ae9b-88ec6ff35810@trustiosity.com>
        <1402388a-fb32-d7af-bc3a-6f25b8a2f47a@pobox.com>
        <B3451526-9879-43F6-87BB-291E414AE43B@quintux.com>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <netfilter-owner@vger.kernel.org>
DKIM-Filter: OpenDKIM Filter v2.10.3 MAIL1.WPI.EDU v6477gDv024163
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wpi.edu; s=_dkim;
        t=1499152062; i=@wpi.edu;
        bh=GAR2Cyz10sDqVN4xCVzXbJb991akrZDAy/foisTFhiY=;
        h=Date:From:Cc:Subject:In-Reply-To:References;
        b=nf+x6jhQaeHS2UBvxgV+anOcJAy/jkAqomqRYUIY7lOBrZnFPo8r+j3GOEnPbW4LE
         pOLOChat/JB/CF0FBNaBUtkEgmtgcxaoG0uQkLViUT+ZlSk60V4URsanzC3FDlgpK0
         uPhjf/xFoSS+tSkdEeK8L2Mz9836WwRnVg0nohGc=
In-Reply-To: <B3451526-9879-43F6-87BB-291E414AE43B@quintux.com>
Sender: netfilter-owner@vger.kernel.org
List-ID: <netfilter.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"
To: 
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>

On Tue, 04 Jul 2017 07:48:36 +0200
K <netfilter@quintux.com> wrote:

> What do all the locks in the world help when you invite the burglar in for tea? In other words: most IT departments have the incoming traffic pinned down as you described, but a single executable disguised as a clip of a cute kitty, downloaded and executed by any employee is what nowadays forms the real threat.

And that's why I maintain that SSL/TLS is the one of the worst things that could've happened to The Internet: our peripheral firewalls are powerless to prevent malware from traversing conns encrypted with SSL/TLS.

Neal


> 
> On July 4, 2017 3:14:59 AM GMT+02:00, Robert White <rwhite@pobox.com> wrote:
> >They had
> >people sharing segments of their hard drives. Pooled servers with just
> >ludicrously broad write policies, printers, store and forward scanners,
> >all the normal stupid things that let business function. And you know,
> >what, its well they should. Security that becomes a denial of service
> >attack on the corporation's innards just encourages misuse.  
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html