End Of the Line for SpeakFreely: NATed to Death 339
Arun writes "John Walker (of AutoDesk and Fourmilab fame), primary author of SpeakFreely, has decided to EOL the program (a pioneering network telephony effort), come January 15th, 2004. He cites difficulty in maintaining a decade-old code base, lack of appropriate developer support and a fundamental change in the peer-to-peer nature of the Internet upon which SF is dependent as motivating factors behind his decision. While the last release of the program will continue to be available from SourceForge, the main web site, mailing list, and web forum will be shut down on the aforementioned date." He's got some good points too, like how once IPv6 is more common, most users probably won't go back to one address per machine. I know I enjoy the added security of a NATed firewall, and without a really good reason, I won't be quick to give it up.
NAT & firewall (Score:2, Informative)
Re:NAT & firewall (Score:3, Insightful)
Re:NAT & firewall (Score:5, Insightful)
Ahh, but NAT is the simplest. I like the fact that I can get a hardware NATting firewall, plug it in, and know that the default configuration is secure. There aren't any holes anywhere, no cracker is gonna scan my network through it, nothing like that...
Sure you can get that with a regular firewall, but you have to configure it and monitor it and all sorts of other stuff that I, as a consumer, just don't want to do.
And FYI, I work in the TCP/IP security business. It's not that I don't know how to build a firewall. It's that I don't WANT to when I'm off work...
Re:NAT & firewall (Score:2)
But I challenge you to find one single hardware product for sale today in a consumer electronics retailer that meets your definition of "NAT by itself"
Re:NAT & firewall (Score:2)
I have one in my cube at work...it's called a LocalDirector.
Re:NAT & firewall (Score:2)
Who is the manufacturer? Where can one purchase this device?
Re:NAT & firewall (Score:2)
Who is the manufacturer? Where can one purchase this device?
cisco Systems. There's a bunch of them on eBay right now.
Re:NAT & firewall (Score:2)
Re:NAT & firewall (Score:2)
Re:NAT & firewall (Score:2)
Re:NAT & firewall (Score:2)
You're not thinking this through properly. The connection is addressed to the NAT box, so the NAT box will deal with it. It will probably simply ignore it because it doesn't have the need to accept incoming connections, but that isn't protecting your internal machines in any way. The packet was not addressed to your internal machines, so they are not involved in this situation.
With pure NAT and no firewall, I can (theoretically) tell my computer to route packets using your public IP address as a gateway an
Re:NAT & firewall (Score:2)
Re:NAT & firewall (Score:2)
By blocking all incoming connections, you still can't accept connections from hosts on the Internet, so nothing is solved.
Re:NAT & firewall (Score:2)
Let's address both of those seperately:
1. Configuration of non-NAT firewalls. I have yet to see a real world situation that warranted a firewall where denying all inbound traffic was a viable solution. Web servers, FTP, SQL, E-mail, etc. Sure, NATting firewalls require the same configuration... but generally the rules are MUCH simpler, since you're only routing one inbound IP Address. You're living in a dream world if you think that denying
Re:NAT & fresh windows installs (Score:4, Interesting)
Also, I can have file shares open between different computers on the NATed (natted? NATted?) network, allowing for easy sharing of files. If each computer was hooked directly to the internet there would be no way I'd have ports 135-139 open for Windows file shares!
Re:NAT & firewall (Score:2)
Kinda, but not fully. Unless you have services that need be accessed, there is no reason not to use NAT. If you use RFC 1918 space, NAT outbound, you simply cannot hit my machine. You can't even reach it. Unless you compromise a dual-homed system, or find a modem that's answering, or steal a valid VPN key and account. But besides very unlikely situations, you just can't reach my systems. You try to hit the IP I have set on m
Re:NAT & firewall (Score:2)
Re:NAT & firewall (Score:2)
This will then block any packets on ports other than the ones you've opened from getting through to your network. If you want an easy way of doing this, give FreeSCO [freesco.org] a try.
Re:NAT & firewall (Score:2)
FreeSCO is for Free Cisco, because they're attempting to build a floppy bootable version of Linux that has all the features of a Cisco router (although you're probably better off buying the router if you need that sort of power)
Re:NAT & firewall (Score:2)
A firewall means, to most people, a box that does NAT. However, it used to be a router that that could enforce different packet filtering rules. Now it might mean a box that is kind of like a router but can be more nuanced about policies than simple packet filtering (stateful inspection). Or it can combine all three of these technologies combined in some way.
Correction: NAT is 20% of a firewall (Score:2)
Also, you can check the configuration of netfilter in your Linux kernel, or even the netfilter source code: less than 20% will be about NAT.
So, where did you get your k
Why, oh why? (Score:5, Insightful)
I wish I had discovered it earlier.
Oh well, I can only hope that I can repent this mistake in my next life.
Re:Why, oh why? (Score:4, Informative)
And it works with NAT (it's more or less like IRC with voice-capability)
Hrml (Score:2, Funny)
Why is this a Problem? (Score:2)
Of course, I'm sure there are some technical issues here that are currently beyond my understanding...
Re:Why is this a Problem? (Score:5, Insightful)
Walker also lists an entire slew of other reasons, but if he used the NAT argument as his central reason to quit, I think he's being very short-sighted. Of course, "because I don't wanna" is always a perfectly valid reason in an open source world, too.
Re:Why is this a Problem? (Score:5, Insightful)
More specifically, what happens when you have multiple machines behind the NAT device? How do you map the ports statically to multiple machines *and* also communicate this information to devices on the outside of the NAT device? (That is, port 80 on the NAT device maps to server1, port 81 on the NAT device maps to server2, etc.)
The key issue is that applications are using network level addressing (IP addresses) rather than application level addresses (URLs) to establish the network connection -- we have network specific information far too embedded in the applications, which is why the transition from IPv4 to IPv6 is such a nuisance. At the moment, the DNS SRV record could help with some of these matters by specifying a port number to use for a specific service and host/domain.
A better design for applications would be for them to be completely unaware of 'IP addresses' and function purely on URLs or hostnames + service name, and link to libraries or network drivers on the machine that handle the network aspects. Really -- excepting network mangement tools, what application bothers about the MAC addresses of machines or PPP negotiation details? IP addresses should not matter to the applications, either -- at that point, much of the arguments against NAT go away.
Honestly, the fact that NAT causes applications to break is more a reflection on mistakes in the architecture/application. IP packets themselves don't fall over and die just because they transition from a PPP link to wireless to ethernet to SONET to etc. The differing layers are independent of one another -- the applications have not yet been weaned off directly diddling with the IP layer.
Re:Why is this a Problem? (Score:2)
For example, wanting to forward the same external port to two different internal machines.
Re:Why is this a Problem? (Score:2)
People who don't know how to load a bullet into a gun shouldn't be firing guns.
The cheapest NAT box I bought is now USD43 when I last checked, comes with web configuration (only accessible on the inside interface) and it does static port forwarding. Very simple to configure too.
sad to see it go (Score:4, Interesting)
That's too bad (Score:5, Interesting)
When I discovered I could have a voice converstaions with anybody in the world, I was so excited I picked up my phone to tell my friend in Canada
Dont' prepetuate myths. (Score:4, Insightful)
Every single security feature you like about NAT can also be had without NAT.
The common things people think they get with nat:
- Connections that must initiate from inside the network.
This is easily achieved with a normal firewall and routable addresses as well.
- My addresses aren't routable, so I'm more secure.
No, your addresses are perfectly routable, just the internet at large does not route them by agreement. Your ISP could easily configure it's routers to get traffic in to your network on those addresses.
- It hides the real addresses of my machines.
Not really... or more accurately, to an outside attacker, those addresses dont mean anyhting anyway. Whether they are known or not is not relevant. A firewall in front of a network of routable addresses could hide things equally well.
NAT by itslef does not reduce exposure. The best example of this would be those who configure nat in a hurry on linux 2.4 systems..... they set up an SNAT or masquerade rule in postrouting, and that's it.
That's nat, full, 100% working nat.
With absolutely no security.
The ISP could route to their internal network, no problem, making connections to whatever they want.
This is easily fixed by a few rules.. but then you are into firewalling, and not NAT at all.
Re:Dont' prepetuate myths. (Score:3, Insightful)
The ISP could route to their internal network, no problem, making connections to whatever they want.
Care to justify that?
If you control your NAT router, there is no way the ISP can initiate inbound TCP connections to arbitrary machines behind your NAT box.
I do agree that NAT isnt really security, just a very easy to setup a firewall that allows outgoing connection initiation only by default.
I'm stil confused (Score:2)
Re:I'm stil confused (Score:3, Interesting)
The linux box doing the NAT is also configured to route packets. On your LAN, you would configure the "default gateway" to be that box, and thus cause any packets not destined for an address in your LAN subnet to be sent to the NAT box for routing.
Imagine if a computer at your ISP had a route added to its routing table which causes 192.168.0.0/16 to be routed to your external IP address. This computer will now send any packets destined for an address in your LAN subnet to your router, which will inspect it
Re:I'm stil confused (Score:2)
Ok, I will. Here, lemme go look at my NAT box setup now..
Ok, it's public IP is 66.32.64.0, netmask on that interface is 255.255.248.0. (Yes, I changed a number or two to hide the real IP)
It's internal adapter is setup for 192.168.0.1, with a netmask of 255.255.255.0.
Lets follow this. Packet comes is recieved by the ethernet adapter. The driver gets it, and fo
Re:I'm stil confused (Score:2)
I was simplifying a little. I didn't really want to bring up Ethernet when the OP was clearly confused enough about IP as it is.
However, on most cable systems you share one broadcast medium with a bunch of other customers, all of which would be capable of addressing you at the transport level if they wanted to. (Actually, in many cases they'd be addressing the cable modem rather than the router, but there exist devices which do both)
Re:I'm stil confused (Score:2)
Remember that your neighbours are on your ISP's network too. Do you trust them all?
Re:Yup. I will. (Score:2)
And as I said before, this would only work if you don't support any sort of netmasks.
The packets would, even if they are somehow managed to magically manage to get routed IN from a netmask the interface wouldnt support, just get routed BACK out to the NAT boxs default host, as it doesnt match ANY of the netmask rules for transmital to the internal address..
Re:Dont' prepetuate myths. (Score:2)
Re:Dont' prepetuate myths. (Score:2)
The text says : I know I enjoy the added security of a NATed firewall,
But since this is /. nobody has a brain and you got modded up..
- It hides the real addresses of my machines.
Not really... or more accurately, to an outside attacker, those addresses dont mean anyhting anyway. Whether they are known or not is not relevant. A firewall in front of a network of routable addresses could hide things equally well.
Uhh, a network appliance that does NAT, usually has a configuration that makes it a firew
Re:Read more carefully. (Score:2)
The article was about NAT... and NAT is not in any way related to firewalling, other than by conveniently often being handled by the same device.
Uhh, read everything again and put things in context, NAT is a service, and in this context of speak-freely-peer-to-peer on the internet it is almost *always* provided by firewalls. That is why the comment reads as it does: I enjoy the added security of a NATed firewall, and without a really good reason, I won't be quick to give it up.
"it" is likely a refe
Nat != IP Space reduction generaly (Score:2)
PAT reduced used IP addresses by mapping ports rather than IP's.
NAT especialy is no substitute of good security as incomming connections are allowed by default. This method breaks less protcals than PAT.
Now as far as NAT beign a good or bad thing I'm all for NA
Not that simple. (Score:4, Informative)
Of course the ISP gets traffic in to your network even with NAT but that's how you get to surf the web.
"That's nat, full, 100% working nat.
With absolutely no security."
Seriously tho, while your ISP can easily subvert data and existing connections (and so can Verisign etc), it is nontrivial for your ISP to make new inbound connections into your network through a NAT device.
If you know how typical NATs work, it isn't that easy. (BTW Cisco calls them PATs because Cisco used to have inferior NAT solutions that didn't support IP sharing or overloading as they called it).
In the simplest case that supports multiple NAT'ed hosts, a NAT device builds a table based on outbound packets: src address, src port, dest address, dest port -> new src address, new src port, dest address, dest port.
You need a new source port because two source hosts could use the same source port.
Reply packets that match are then translated back.
Packets that don't match can't go through the device because the device just doesn't know where they should go.
Unless the device is terribly buggy you should be reasonably safe from inbound connections.
In fact with NAT, in order to allow inbound connections you need to add more code.
So with NAT having inbound connections is harder, and that is a good thing.
Coz there are some tricks you can play with IP fragments, where you get a fragment to overlap the original header on a vulnerable operating system. But if you have a reasonably recent O/S this shouldn't work anymore even on Windows.
Simple example of how it works, an inbound packet fragment goes through a firewall with an legit destination address and port and is stored in a packet buffer on the destination host. Subsequent fragments are sent and allowed through by the firewall and they overwrite/overlap the original destination port on the packet buffer, so the destination host actually ends up with a packet that connects to a service that should have been blocked by the firewall.
If you don't allow inbound connections and only allow outbound, such subversion is a lot harder, someone needs to be able to see your outbound packets as they head towards to the real destination, in order to construct suitable "inbound" packets and fragments.
Ah! (Score:2)
If the NAT device also behaves as a normal router then without any firewall rules it could forward packets destined for the internal network.
OK my error.
Re:Dont' prepetuate myths. (Score:2)
Why it's not a myth (Score:2)
Fundamentally, you are 100% correct. NAT provides no security that simple filtering can't do better.
However, practical security is about more than fundamentals. It is about what happens when you screw up.
I have a gateway with filtering. If I mess up a config, my gateway might come up without the iptables rules, and I might not notice for ages.
However, all the workstations I use are NATted, (All things being equal I would prefer that they weren't, but the charges from my ISP would be far from equal),
Re:Dont' prepetuate myths. (Score:2)
They think they get it with NAT, and they do. You stated it as if they don't get it when they think they do.
No, your addresses are perfectly routable, just the internet at large does not route them by agreement. Your ISP could easily configure it's routers to get traffic in to your network on those addresses.
Have you never heard of a netmask? Try it sometim
Re:Sure. (Score:2)
In Linux 2.4, this should be default with rp_filter which I believe is automatically enabled when ip_forwarding is enabled. Of course, making sure that rp_filter is enabled explicitly is always a good idea
I think you misread. (Score:2, Informative)
but NAT is not security.
Perhaps my point is too subtle... let me try to put it another way.
All the security features you think you get by using NAT are actually not related to NAT at all.. they just happen to be configured along side it, and nobody ever really thinks about it. All of them are available, and work equally well, without NAT in the picture. NAT works equally well without any security features.
My point is not that "NAT devices are i
NAT to death. (Score:5, Funny)
No...
172.18.1.3/12!
No, please, stop
10.255.255.255/8!
AAAAAHHAHAHRRRGGNO CARRIER
Yeah that's right, SF and NAT don't work together (Score:2)
Re:Yeah that's right, SF and NAT don't work togeth (Score:2, Funny)
NAT for security... Not! (Score:3, Insightful)
In fact it can be a serious problem as a significant percentage of the people with NAT on their Broadband gateway are doing little or nothing to improve their desktop security. Why be worried when the gateway will block NAT traffic for me?
I am probably preaching to the choir, but as a simple example of the flaw, you probably still get, and read e-mail, even behind your NAT firewall. If someone sends you an infected file as an attachment, (that you happen to execute, automatically or deliberately) that happens to be an IRC-Bot that will turn your workstation into a rdos center, your NAT box is unlikely to do anything to protect your PC. In fact now that the bug is running on your system, it has the potential to check for other systems in your home network that are vulnerable to various exploits that you haven't patched for, because you are "safe behind my nat firewall".
Suddenly you have multiple boxen in your network that are all accessing the internet without your awareness, and downloading whatever the bug writers have decided to have them download. It's not even remotely improbable that your NAT secured network may become a spaming source without you knowing about it.
NAT as a security tool is the network equivalent of Security through Obscurity, and is just as flawed.
-Rusty
Re:NAT for security... Not! (Score:2)
For the nth time, NAT has nothing to do with security. NAT is essentially an IP address multiplexer. If used to be for people who didn't want to pay for more than one IP but wanted several computers to access the Net several years back, and it used to be frowned upon by ISPs, if not outright prohibited by them. Now it has become a necessity due to IP shortage, and you'll notice most ISPs don't mind anymore for that very reason.
Again : NAT HAS NOTHING TO
Re:NAT for security... Not! (Score:2)
What's NAT have to do with addresses per machine? (Score:2)
What makes you think that NAT implies one address for many machines? Even if you want the extra security provided by NAT, if you have many addresses available, you can translate one routable address per internal machine. I certainly look forward to IPv6 for this reason, but I'm not holding my breath :-)
In Europe ISPs do not NAT their customers! (Score:5, Interesting)
Customers using a cable modem or dsl modem get a live wild-side IP and a unique hostname such as:
node139a2z.xs4all.nl
by which they're already DNS addresable.
Most commodity OS's and even the cheap (horrific!) home-router products I've seen have port forwarding capablity,so there's really no such problem as he describes here.
Does anyone have different experience elsewhere?
The States, for instance? I'd like to hear.
Liam.
Re:In Europe ISPs do not NAT their customers! (Score:5, Informative)
Here in the netherlands at least, both the major broadband providers (UPC adn KPN)give all customers a generically routable IP.
...
Does anyone have different experience elsewhere? The States, for instance? I'd like to hear.
Not only do most (all?) of the US broadband providers give you a globally routable IP, many of them actually get angry with you if you try to use NAT, because they want to have a one IP to one machine mapping for charging your account. Comcast in particular even has language in their AUP that says they may take legal action against you if you try to use NAT to install more machines (which is totally stupid, but there it is).
I've got a lot of respect for Walker in other areas, but this NAT rant is just barking up the wrong tree. NAT boxes are installed by users so that they can get more functionality out of the limited IPs available to them, not by ISPs to limit the users. I know Cox cable will help you install a NAT network, but they by no means require it or lock it down. At any time you could simply plug your machine straight into the internet and be just like everyone else. Or get a better NAT box!
On the other hand, saying that the internet is transitioning to a client/server architecture at the hands of corporate overlords isn't a big stretch at all (limited upstream, blocking HTTP ports, etc) but it has nothing to do with NAT.
Anyway, as others have said, if he is just tired of writing the program for a perceivably uninterested audience, he should just stop and turn it over to an SF project, like he's done. No need for this NAT rant...
Re:In Europe ISPs do not NAT their customers! (Score:2)
Although the marketing and sales departments are quite against anything but MacOS 9 (yes 9) or Windows 95/98/XP (no 2000/NT), their technical staff careless about what you run.. and they may infact endorse it.
The technical guys still won't give you help with your Linux box.. but if you give them specific, os indepe
Re:In Europe ISPs do not NAT their customers! (Score:2)
Ditto in Finland.. (Score:2)
IETF tools for media through NAT (Score:5, Informative)
No static port mapping? (Score:5, Insightful)
First off, let me say I have no idea what Speak Freely is. My comments are solely in response to some of the reasons he gives for discontinuing the program.
Had his reasoning behind discontinuing the project rested solely on his lack of time and an aging code base, I don't think I'd have an issue. Instead, he goes on to blame the NAT protocol and boxes that implement it, like the very popular cable/DSL "routers," and many of his issues seem to either misunderstand them or deliberately misstate what they can do.
He makes comments like, "Since the user no longer has an externally visible Internet Protocol (IP) address (fixed or variable), there is no way (in the general case--there may be "workarounds" for specific NAT boxes, but they're basically exploiting bugs which will probably eventually be fixed) for sites to open connections or address packets to his machine." He continues to state, "experience has shown that a large number of installed NAT boxes either cannot map an externally accessible port to an internal IP address and port, or those who install the boxes do not provide their customers adequate information to permit them to do this."
First of all, I have yet to see a NAT device that cannot statically map ports to a machine inside the local area connection. If there is one, I'd love to know about it so I can tell anyone to avoid it. Some are more rudimentary than others - like one I know about that has no UI to distinguish TCP and UDP inbound ports - but they all offer some way of mapping inbound ports.
His argument that they don't provide sufficient documentation to allow end-users to do so, and this may be the case. But if one is to discontinue development of a program based on the fact that someone else is providing poor documentation, there wouldn't be any development going on - documentation for most hardware/software products in the last 3 years or more have been horrid in my experience.
His argument that the internet is moving towards a client-server model rather than a peer to peer model is undeniable. It's been moving that way since they allowed home computers on the internet, and shouldn't be a surprise to anyone. Still, this doesn't mean the "clients" can't continue to utilize products that utilize a peer to peer architecture. He dismisses peer to peer file sharing products while overlooking the fact that they're the most successful peer to peer architecture network to exist in the history of the internet, and disproves his argument that NAT spells the end of peer to peer.
In the end, it seems he just didn't want to continue developing his program - and instead of being honest, he thought he'd use this opportunity to climb on his soapbox and make some waves by blaming NAT for the ills of the internet and the death of his program.
Re:No static port mapping? (Score:2)
I don't think it quite comes off that way. I believe that his point is that most people who use his software are simply operating behind a NAT and either don't know how or are not bothering to redirect a port to an internal IP. So what is happeni
Re:No static port mapping? (Score:2)
It could. P2P services still work because there is a still a significant number of users not behind any kind of NAT box. If everyone was behing a NAT box, none of those P2P apps would work.
I just hope NAT dosen't become the 'default', but it looks like that
Re:No static port mapping? (Score:5, Insightful)
True, but to be fair, you are making two assumptions:
(1) The user who wants SF controls the firewall and
(2) The user wants SF knows how to configure the firewall to forward ports
Generally, in IT suppported situations (1) will be false; in home situations (2) will be false.
So, for the majority of potential users behind NAT boxes, NAT is a significant enough barrier to using this program to disuade experimenting with it.
But if one is to discontinue development of a program based on the fact that someone else is providing poor documentation, there wouldn't be any development going on - documentation for most hardware/software products in the last 3 years or more have been horrid in my experience.
Depends on whether you can take the pain for the user. If the problem is that the Foo API is poorly documented, then you can insulate the user from it. If the problem is that the user has a tough learning curve before he can try your stuff, it's a big issue. I was screwing around with an open source java project recently that (a) provides source code only and (b) uses a non-standard build system and (c) has lots of dependencies. After spending a couple of days, I was making progress on it, but eventually decided that the expected return on my efforts didn't justify using it over a different means of getting the same thing accomplished.
Re:No static port mapping? (Score:2)
Port forwarding is a functional, if somewhat fiddly, way to allow direct connections in.
Unfortunately, as soon as you have multiple clients behind the NAT box it becomes at the very least a major PITA (if you have to organise a specific port mapping for each person and whomever wants to connect to them) and more likely completely broken (in the case of applications that cannot change
Re:No static port mapping? (Score:2)
NAT destroying the Internet (Score:3, Funny)
Why do people just love NAT ?
Is it a "superiority complex" thing ?
"Ha ha ha, I'm better than the hackers, my addresses are hidden".
or
"Hee hee, my ISP doesn't realise I'm connecting more than one PC" BONK. Yes they do.
Its a pitty these NATters don't realise
Its just breaking the Internet, killing off useful peer to peer applications like speakeasy.
Do people like screwing around with their NAT box configuration everytime they add a new P2P application ? (dumb question on slashdot I suppose).
For those that think it is wonderful, spend some time reading and understanding this RFC
RFC 2993 - Architectural Implications of NAT [faqs.org]Until that point, you don't have an informed opinion about NAT, so you shouldn't express it.
Re:NAT destroying the Internet (Score:4, Interesting)
Is it a "superiority complex" thing ?
No, troll, people love it because it adds security, it's easy to do, and it's already built-in to many consumer devices.
"Hee hee, my ISP doesn't realise I'm connecting more than one PC" BONK. Yes they do.
Hee hee, my ISP (Time Warner, maybe you've heard of the company) doesn't care if I hook up more than one PC. They even asked if I wanted help setting up a home network when I started service.
# NAT doesn't protect you from email payload viruses.
# NAT doesn't protect you from spy where. You downloaded that when you downloaded the free P2P software. Once inside your NAT box, it can establish more outgoing TCP connections, and download what ever it likes.
# TCP connections are full duplex - data (innocent or malicious) can be downloaded via a TCP connection initiated in the outgoing direction. That is how the WWW works !
Nobody sets up NAT to protect against email viruses or spyware, except in whatever fantasy world you're pulling arguments from.
Its just breaking the Internet, killing off useful peer to peer applications like speakeasy.
The author of SpeakEasy apparently failed to notice that 99% of NAT devices out there today can be set up to do port forwarding. I'm using a Linksys 4-port router/switch myself, for example, and if I needed to open a port for something like SpeakEasy, I could have it done in 30 seconds- open up the config page in a browser, put in the external+internal ports, pick which internal IP to forward to, save, and done.
Do people like screwing around with their NAT box configuration everytime they add a new P2P application ? (dumb question on slashdot I suppose).
Sorry, but any of the good p2p apps don't require any screwing around to work, and if they do, it's optional (eMule, for example).
Re:NAT destroying the Internet (Score:2)
NAT does not in any way add security. The last two sites I've broken into (one was a shell, the next was an entire fvwm setup) were on RFC1918 addresses. I just convinced the system to make a connection back to me.
If you don't want connections coming into your network, don't allow them at the firewall. That's the security. Disallow everything you don't know you need. NAT is not a r
Re:NAT destroying the Internet (Score:2)
So you (probably illegaly) broke into two boxes, and want your opinion to be trusted? Hasn't this been a big issue lately? Sorry, but I don't give that sort of activity very much weight.
Re:NAT destroying the Internet (Score:2)
Hey, good assumption.
So, when someone announces a specific technique to work around something that is consider ``a security measure,'' it makes a lot of sense to assume the person was breaking the law, and security measures should only protect from things being used lawfully.
I'm probably missing your point, but if you're
Re:NAT destroying the Internet (Score:2)
If all you did was find a flaw in a security measure, then say so.
I'm probably missing your point, but if you're worried about security, you might want to consider that someone might actually break the law when circumventing your ``security'' measures.
P
Re:NAT destroying the Internet (Score:2)
Perhaps it does for you. I've had to break into my house and cars a few times as well. Don't tell me I did that.
If all you did was find a flaw in a security measure, then say so.
OK, I found a flaw in assuming NAT assists at all in security. I'm sure that proves my point quite well.
Probably. You might want to consider that security measures can be tested against unlawful techniques without actually break
Re:NAT destroying the Internet (Score:3, Interesting)
The author even says this:
" But one operational advantage with firewalls is that they are generally installed into networks with the explicit intent to interfere with traffic flow, so the issues are more likely to be understood or at least looked at if mysterious problems arise. The
Here Here (Score:2)
Lets look at the issues of NAT (PAT in cisco parlience as NAT is entrily different) as compared to a normal statefull non inspecting firewall with no administrative restrictions they each:
Dissallow incomming IP sessions unless specified.
Function as a single point of failure.
Require a singe point of state.
Persoanly I think EVERYTHING should be firewalled but that dosent fit with the academic modle. Now those three big ugly issues t
Re:NAT destroying the Internet (Score:2)
Spy there.
Re:NAT destroying the Internet (Score:2, Informative)
I know there are ways to find out if there is more than one box initiating connections from a specific link. I don't care. I, like many other people, use NAT because my ISP will cancel my account if they find out I'm using their dialup for my network, not for a single computer. They are not trying too hard to find out, because they don't really want to lose their customers, they only need to do a bit of checking to please th
Re:NAT destroying the Internet (Score:3, Informative)
"Hee hee, my ISP doesn't realise I'm connecting more than one PC" BONK. Yes they do.
And with that, your credibility rating drops to zero. Thanks for playing; have a nice day.
Apparently you missed the research that went into this. There are multiple ways. There are some basic packet sniffing mechanisms that can tell how many systems are initiating the connections as well as other methods.
Re:NAT destroying the Internet (Score:3, Informative)
Much Ado About Nothing (Score:2)
The net is still free, you can still talk to whoever you want to talk to. No need for Chicken Little here. Heard of blogs? ICQ? Instant messaging? IRC?
Next thing you know he'll be complaining that the net is no longer free since no one uses gopher or AOL's TurboBrowser (from version 2.6) or Hotline anymore.
Re:Much Ado About Nothing (Score:2)
I know I enjoy the added security of a NATed firew (Score:4, Interesting)
Ipchains used to let udp packets addressed to your internal net pass through untouched. All a hacker need do is guess your internal address space (all signs point to 192.168.0.*) and he could bombard your innards with all kinds of silly shit. And most exploits are emailed/downloaded trojans, not viruses in the old sense.
What NAT is, is convenient. I have my router box equipped with NAT and DHCP. I can bring home a laptop or plug something in, and presto! I'm online. No calling ISP and asking for another IP, no hoops to jump through.
I could pay for extra IPs from my ISP, but why? I dont serve anything from home, and neither do most home and small business users - thats what colos are for.
NAT is just way too convienient and sensible. It's like just plugging a phone into an extension, vs running it's own line.
And it works 99.9% of the time for me. Transparent proxies (ya mofo i violate RFCs by even transparently proxying http, i'm fucking crazy man, crazy!!) fill the gap for the 0.999%, leaving 0.001% of stuff a pain in the ass, and I can avoid that pain in the ass stuff since it's all warez clients, err p2p applications.
So, I don't mourn the loss of SpeakFree. Open source needs to be able to adapt to survive, too. NAT is here to stay.
Re:I know I enjoy the added security of a NATed fi (Score:2)
I have to disagree with this point. I find it rather inconvenient.
Consider my IPv6 network. I get all of the benefits you describe (plugging in a new machine and having it magically appear on the network), except it does so with real, routable addresses.
Should have googled.... (Score:4, Interesting)
Re:Should have googled.... (Score:2)
I don't understand. Where does that paper explain how to connect when both computers are behind NATs without using a server?
Why should every device be accesible? (Score:5, Interesting)
An interconnected system of networks that connects computers around the world via the TCP/IP protocol..
This means that the Internet is made up of networks which may themselves may be made up of networks, etc. These networks use a common protocol. Most would say that not every device on the network, or even every sub network on the network has to be connected to the Internet. It is quite arguable that there are benefits, both personal and for the commons, to not have every device connected to the Internet.
What is for sure is that for the Internet to run, everyone who uses it must contribute to it's well being. There has to be enough devices connected directly to the Intent to process and forward all the packets in an efficient and timely manner. I personally pay a number of services that manage such activity on my behalf. My personal machines, which are not in the primary bussiness of routing packets, are behind a NAT, which is.
Being behind a NAT allows me to manage my network with less effect on the rest of the community. There are still many security issues, and i can still flood others if I get infected, but it is a first step. I would argue that assuming every computer on every network to be directly addressable from every other computer on the every other network might not be the best design decision. It certainly fits in well with the TelCo desire to sell at least one IP per device, as they tried to do in the past with telephones, but other than that I do not see the benifit.
Re:Why should every device be accesible? (Score:2)
Open Alternatives? (Score:2)
Well, gnutella and MBlaster are doing well (Score:3, Insightful)
I suspect the author is just bitter that his stuff is not popular anymore. Even if it's possible to talk peer-to-peer, instant messangers with hosted servers are more convinient to use.
Well, its a free world, but he should have asked if anyone wants to take over the project and then forward the links to that person.
The Evil Media Conspiracy (Score:2)
NAT nonsense (Score:3, Informative)
Even cheap consumer firewalls allow you to accept incoming connections and run services. Furthermore, despite a lot of noise, most broadband providers do not seem to block incoming traffic; too many games and other popular software rely on it.
The only thing that NATs change is that services should be more flexible in the ports they will work with: when you have multiple machines behind a NAT box, you end up having to assign non-standard ports to services if they are being offered by multiple firewalled machines.
I agree that the trend towards relegating end users to a "client" status is disturbing, but NAT is not primarily responsible for that. Inventing bogus technical arguments will not help us reverse that trend.
Another anti-NAT rant: motd on irc.homelien.no (Score:3, Interesting)
"Second, we get overwhelmed by requests to add special access for
LAN parties and small businesses running NAT (for the
illiterate, if your IP address starts with 192.168. or 10., you are
probably running NAT -- and your personal freedom is severely
restricted).
Please understand; our answer will always be NO. It always has
been, and it always will be. I will try to put this in simple
terms; NAT (Network Address Translation) and similar "technologies"
(masquerading, etc) are detrimental to the Public Internet.
NAT destroys the end-to-end transparency of the Internet. If you
do not understand this or the ramifications of this, please READ
UP ON IT and make up your mind. It is a short-term, detrimental
solution to a long-term problem which is most easily solved by
USING UP ALL AVAILABLE IPV4 ADDRESSES AS SOON AS POSSIBLE to force
a transition to IPv6.
irc.homelien.no will never succumb to the incompetence of
consultants. We do, however, realize that a number of our users
actually constitute part of the technician and consultant
community. If you want to give us something in return for
providing this service, increase your awareness of the above
issues. Short and to the point. --edison, Oystein Homelien"
(irc.homelien.no is a popular server on EFnet)
Re:Whining galore (Score:2)
Tell me, how do you support more than 1 user behind a NAT device wanting to do H323/SIP without some kind of application layer gateway/proxy?
Re:Script error (Score:2)
Re:establishing connection between to NATed hosts (Score:3, Informative)
This is crux, isn't it? If A and B are neither NAt'd, there is no problem.
If exactly one of A and B are NAT'd, the NAT'd party connects to a port on the non-NAT'd party, and everything i s good.
If A and B are BOTH NAT'd, then they both probably have non-routable addresses. A has no knowledge of how to get to B and vice versa. The only thing about them that we (should) know is the IP address of the NAT box (assuming there is only one between the
Re:speakfreely relay server meets bitorrent (Score:3, Informative)
Don't think that'd work. Bittorrent is meant to distribute files. If you're trying to stream audio, the packets need to arrive in sequential order. With BT, the machines you're connected to send pieces of the file (whatever they have), not necessarily in any particular order that makes sense for live audio.
Re:Not surprising. (Score:3, Insightful)
The vulnerability lies in the "one page, one machine" paradigm. If the net operated more like (get ready for the flames) freenet then nobody (not even the RIAA) could be DDOSd into oblivion. A bittorrent sort of structure would ensure popular