On Mon, 25 May 2020 09:40:07 +0100
The Natural Philosopher  wrote:

> On 25/05/2020 08:25, Andy Burns wrote:
> > Ahem A Rivet's Shot wrote:
> >
> >> The Natural Philosopher wrote:
> >>
> >>> yes BUT your way involves spoofing internal source addresses on an
> >>> external interface.
> >>> In short a compromised ISP
> >>
> >> Network security should be based on the assumption that everything
> >> you don't control is potentially hostile.
> >
> > So drop all spoofed packets arriving at the external interface.
>
> I cant see why any NAT router wouldn't do that anyway.

 It should of course and I suspect nearly all do (I don't use off
the shelf routers so I don't know). I think the whole point of this sideline
is that NAT is not enough you need filtering too and any sane router
configuration will do both. It is important to understand this if you plan
to mess with router configuration.

--
Steve O'Hara-Smith                          |   Directable Mirror Arrays
C:\>WIN                                     | A better way to focus the sun
The computer obeys and wins.                |    licences available see
You lose and Bill collects.                 |    http://www.sohara.org/

--- SoupGate-Win32 v1.05