Great news, you can pick your ball up and go home to roll your own distro. You dont have to care what RedHat does.

Obviously if package makers start targetting SystemD, that will affect you, but then again you can also make your own packages if you dont like their decision.

Because comparing an end-user facing daemon to a core system dependency is a little nuts. One will be tested to a much higher level than the other.

And the RedHat decision was motivated by...?

Im sure RedHat engineers have no frigging clue what theyre doing, they should troll the slashdot boards more often for the grains of wisdom found here,.

I dont believe I ever used the word trivial in this comment thread, and your incredible hostility doesnt really make me want to respond to the question on 2012 / 2013. Congrats, you figured out how to "win" a discussion!

Its done every year at Pwn2Own.

This is not entirely correct, and is his entire point. Someone who is directly connected to the WAN of your router COULD access a port on the inside by manually supplying a route to your private network.

The security value of NAT is that WAN hosts do not generally have a way of routing traffic to your internal private subnet. However, if an attacker had control of every router between them and you, they could manually set up a route into your network.

In that sense he is correct: NAT doesnt provide any guarantees, because hypothetically a hacker could first hack your ISP, and set up static routes to your internal NATted network, and then directly access your internal network remotely.

The reason I continue to say it IS security is because NO security measures are absolute, and security is about layering to reduce risk. Taking the set of attackers from "Everyone on the internet" to some subset of that is an increase in security.

To demonstrate how this all works, lets use the following:

Your private network:
Computer: 192.168.50.5 (listening on port 80)
Router: 192.168.50.1

WAN:
Your router: 1.1.1.1
Your ISP's router: 1.1.1.2
My ISP's router: 9.9.9.2
My router: 9.9.9.1

If I wanted to access your computer, and you had no active connections, I would be unable to: your router would not automatically map any connections to 192.168.50.5, so any connections to 1.1.1.1 / port 80 would just get discarded with your router saying "WTF am I supposed to do with this?". However, if a packet arrived at your router addressed to 192.168.50.5 directly, your router would happily pass that packet on through.

The security here comes from the fact that if my router addresses a packet to 192.168.50.5, it will not know where to send it and will drop it. If I added a manual route to my router saying "packets to 192.168.50.5 go to 9.9.9.2", it will route it to my ISP's router-- who wont know where to send it, and will drop it (I believe it will send a "no route to host" ICMP message). Similarly, traceroute 192.168.50.5 will give "no route to host".

In order for me to break into your network, I would need to take control of both ISP routers (9.9.9.2 and 1.1.1.2), and add a manual route indicating how to route those packets (or modify the OSPF or BGP configuration to distribute those routes). The spec around private addressing in general is where the real security comes from, as it indicates that proper behavior is to not route packets addressed to a private RFC1918 address on the internet.

NAT isnt broken; it isnt designed as a security function, but as a way of stretching addresses. Its ability to hide network details is somewhat of a side effect of that, and that provides the security function-- but its much simpler to just set up a stateful firewall than to set up NAT if all you care about is security.

* RFC1918-- in case this term isnt clear, it refers to non-routable subnets which are not tracked by the public internet addressing authority (IANA). These subnets are what most consumer routers come preconfigured with:
  + 10.0.0.0 - 10.255.255.255 (10/8 prefix)
  + 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  + 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

If you want to run a test, I will turn off my stateful firewall and give you my current WAN address, and the private IP of a host running a web server; the test would be to see whether you are able to determine what the text of that webserver is.

You wont be able to, however, because as we all know no ISP in the world is going to route your packet because the destination address will be RFC1918-- not because theyre good guy ISPs, but because they cant. This proves the point: The use of NAT-- even in the absence of a firewall-- removes you from the pool of potential attackers, along with anyone not living in the same geographical area as me.

Thats not my deal. People shouldnt rely on NAT solely; I do not disagree. Stateful firewalls are a dime a dozen. But your constant statement that NAT has no security value whatsoever is clearly incorrect.

You dont fight ignorance with half truths. You can combat incorrect configurations by saying "yea, this is better than nothing, but its extremely poor practice in any case."

I dont admit Im wrong not because Im stubborn, but because the security value given by NAT is affirmed by several vendors, none of whom dispute the potential vulnerability you present, but who nevertheless would mark NAT as a part of a security strategy alongside a firewall. If you want me to reject everything I know about routing, and public / private addressing, and everything these vendors are saying, you need to come in here with a lot more than a simple experiment that wont work on the production internet.

The issue is also whether you allow society to dicatate what medical procedures are performed on your body.

Lets not forget the fine history of unethical human medical experimentation in the United States. And people think we should just give the government carte blanche to dicate medical procedures?

Unbelievable. Something about history, and being doomed to repeat it...

Its not about someones snowflake not tolerating a needle, its about living in a society where such things as "what medical procedures we perform" are family decisions rather than societal ones.

The real problem is that the medical community has done a lot over the years to make people justifiably hesitant to blindly trust their every whim.

That said this headline is misleading, immunization is a requirement to use public schools, but public schooling is not required.

You want a lot of progress, quickly? Get a dictator.

Want a free society? Accept that changes are going to be slow because there isnt a dictator.

Thats not really what it does, though its sort of close.

NAT covers a large number of different scenarios; the specific one we are discussing is known as Source NAT, or dynamic NAT (or PAT, in the Cisco world).

In this scenario you have a range of private IP addresses that are not publicly routable, and a single publicly routable WAN IP address to be shared among those private hosts. Each IP packet sent will have a source IP, source port, destination IP, and destination port. The router takes each outbound packet, tears down the layer 2, 3, (and possibly 4) headers, and re-writes the "source" port and IP address using a "pool" of NAT IPs and ports. It forwards the rewritten packet on, and stores in a table the mapping of the private host's IP and source port to the NAT IP/port. Return packets matching that pair of NAT IP/port will be translated (rewritten) to target the private host that originally sent them.

The argument being made is that technically this mechanism does not, in itself, identify and block unsolicited traffic-- which is correct. Technically if you were to guess a mapped pair, you could sneak an unsolicited packet through; if I've opened a connection to Google, (my private IP: 192.168.50.5) and my NAT'd IP/port is "5.5.5.5 / 5238", ANYONE could send a packet to that pair and it should get forwarded through.

In reality, there are problems with this that make it difficult to do, the most obvious being that the private host will simply reject that packet as it does not match an active TCP connection that it recognizes. Additionally, this does not work with listening services (which will not have a PAT mapping, as they arent generally initiating connections), and if there are no active conversations no one on the internet will be able to get their traffic to the private host as the router simply wont have any active NAT mappings-- it wont know what to do with the unsolicited traffic, and will dump it.

The "attack" being described is simply to set up a static route on your machine which tells it "ah, but _I_ know how to get to 192.168.50.5-- its through 5.5.5.5!". This could work, as indeed the router would know how to handle the 192.168.50.5 address; the problem is that no other router on the internet will accept a packet destined for that IP address, and you cant just tell those routers how to route the packet. So this attack only works if you are right next to your target-- either their ISP, or some hacker who is on the same cable drop as your neighborhood.

This is why I call it security: if you have no other firewall, NAT (of the sort we mean when discussing consumer routers) will at least ensure that no geographically removed attackers can access your private network, simply by virtue of every other router on the internet refusing to carry the traffic.

The real crux of this argument is that the AC is being pedantic and obnoxious, and conflating static NAT (his iptables examples) with the sort of NAT found on every consumer firewall. If someone is setting up an iptables NAT, they almost certainly are aware of what doing a default policy of ACCEPT will do: it will remove any sort of filtering and all security. But thats not what the context of the conversation was, which is why theres a disagreement here.

Then go get a job at cisco or SANS as their chief security engineer, because you clearly know better than them.

I mean, hey, what would Cisco know. Theyre just the folks behind the PIX, the first device to support NAT.

3 points.

1) Security measures are measures which mitigate vulnerabilities. Mitigations can involve avoiding an issue, or reducing risk. When you take the potential pool of attackers from "the entire internet" and reduce it to "People with direct access to the link between me and my ISP", you have reduced risk. This is Security 101 stuff, its called "risk assessment".

2) No one is suggesting NAT is the best security ever-- just that it provides some degree of security by way of mitigating some threats. Other threats it does not mitigate, and that doesnt really matter because almost no one relies exclusively on NAT anyways.

3) I've provided sources to a number of vendors; I could easily find more. You still have yet to explain why we should toss out Cisco and SANS' explicit statements that NAT constitutes security, and trust your random internet rant. Put up, or shut up.