Disabling source validation is insecure
Closed this issue · 3 comments
"source-validation": "disable"
in the config disables some parts of the firewall which is very insecure, more can be read here: https://nl.wikipedia.org/wiki/Internet_protocol_spoofing
Instead of this config I would like to show this: https://free2wifi.nl/2018/09/25/ubnt-usg-iptv/ (in Dutch) which shows a config which does not use this insecure setting and also does not seem to suffer from the issue with the next hop.
Hi Robert thanks. I was out for a bit therefor the postponed response.
I've applied the change you suggested. To be honest my own config differs quite a bit since publishing the repo. I'm using VLANS for IoT device isolation and put the decoders in separate VLAN's as well.
My understanding is that the other configuration has no nextHop issue since KPN is not changing the router IP that often. But if they do you need to re-edit the JSON / or in this case run the bash file (either do that by cronjob or by hand). Your choice :-)
Thanks for taking the time to provide the feedback.
With the other config I never had an issue with the next hop so far after running it for a few months while previously with this config it sometimes broke down several times per week. By no means I want to bash your work, I've happily used it for a while so I'm still very thankful for all your effort :)
To be honest my own config differs quite a bit since publishing the repo. I'm using VLANS for IoT device isolation and put the decoders in separate VLAN's as well.
Do you have the possibility to share that solution? It’s exactly what I would like to achieve.