BBC News - 'Fresh proposals' planned over cyber-monitoring

Ian Batten igb at
Mon May 13 22:30:01 BST 2013

On 13 May 2013, at 18:45, Florian Weimer <fw at> wrote:
> Similarly, I don't think we want our fridges to be reachable from the
> public Internet at large, just because it happens to have an IPv4
> address for our own (personal) use.

I don't buy that argument.  It's trivially easy for routers to have a default-block firewall rule with outbound state tracking, which mimics the security semantics of NAT.

> pass out quick on ip.tun1 from any to any keep state
> block in quick on ip.tun1 from any to any

That does, however, permit those of us that do want access to our internal machines to do so as well.  NAT and firewalling are different, and using the one as a hacky way of doing the other is assuming that everyone's requirement for both run in lockstep.


More information about the ukcrypto mailing list