End Of the Line for SpeakFreely: NATed to Death

Arun writes "John Walker (of AutoDesk and Fourmilab fame), primary author of SpeakFreely, has decided to EOL the program (a pioneering network telephony effort), come January 15th, 2004. He cites difficulty in maintaining a decade-old code base, lack of appropriate developer support and a fundamental change in the peer-to-peer nature of the Internet upon which SF is dependent as motivating factors behind his decision. While the last release of the program will continue to be available from SourceForge, the main web site, mailing list, and web forum will be shut down on the aforementioned date." He's got some good points too, like how once IPv6 is more common, most users probably won't go back to one address per machine. I know I enjoy the added security of a NATed firewall, and without a really good reason, I won't be quick to give it up.

NAT & firewall

[Karamchand]

You can have a good and secure firewall even without NAT, in case you didn't know..

Re:NAT & firewall

how?

Re:NAT & firewall

rtfm

Re:NAT & firewall

[demaria]

Stateful firewall that blocks all incoming connections. Basically the same thing.

Re:NAT & firewall

[Jellybob]

You place a firewall between your network, and the internet (possibly inline with your cable modem/main network), which you then set to reject anything you havn't specifically allowed through into you network.

This will then block any packets on ports other than the ones you've opened from getting through to your network. If you want an easy way of doing this, give FreeSCO a try.

Re:NAT & firewall

Read TCP/IP for Dummies and shut your piehole, dipstick.

Re:NAT & firewall

[hey!]

The problem is the way we use vague terms whose definition shifts around.

A firewall means, to most people, a box that does NAT. However, it used to be a router that that could enforce different packet filtering rules. Now it might mean a box that is kind of like a router but can be more nuanced about policies than simple packet filtering (stateful inspection). Or it can combine all three of these technologies combined in some way.

Re:NAT & firewall

[zangdesign]

But if you radiate, you're a target. There's always some little a-hole who wants to take you down for no other reason than than ... Hey, look, it's Saturday! Never understimate the stupidity or maliciousness of a 14-year old skript kiddie.

Re:NAT & firewall

[merlin_jim]

You can have a good and secure firewall even without NAT, in case you didn't know..

Ahh, but NAT is the simplest. I like the fact that I can get a hardware NATting firewall, plug it in, and know that the default configuration is secure. There aren't any holes anywhere, no cracker is gonna scan my network through it, nothing like that...

Sure you can get that with a regular firewall, but you have to configure it and monitor it and all sorts of other stuff that I, as a consumer, just don't want to do.

And FYI, I work in the TCP/IP security business. It's not that I don't know how to build a firewall. It's that I don't WANT to when I'm off work...

Re:NAT & firewall

If you want an easy way of doing this, give FreeSCO a try. SCO executives aren't even on trial yet. Isn't FreeSCO a bit premature?

Re:NAT & firewall

[mst]

Yes, but the big problem (as viewed by the SpeakFreely author) is not necessarily the use of NAT as a firewall component as such, but rather the rapid proliferation of shared internet connections with one public IP address. Which, among other things, forces people to use NAT...

I believe he has good reasons for his concerns. And sadly, once (if ever) we get IPv6, there may well be commercial interests in keeping it that way: One consumer = one IP number as a base service, pay extra for additional IP:s. Which in turn would sustain a market for NAT:ed firewalls. (Someone more into IPv6: Please tell me I'm wrong!)

Re:NAT & firewall

[Jellybob]

I know it's a joke, but I'll bite :P

FreeSCO is for Free Cisco, because they're attempting to build a floppy bootable version of Linux that has all the features of a Cisco router (although you're probably better off buying the router if you need that sort of power)

Re:NAT & firewall

[squiggleslash]

I understand the logic, but a router that by default blocks incoming connections will, out of the box, be as secure as a NAT router. If and when we get IPv6, that's really what should be in every "DSL router" you get, rather than a "Let's NAT IPv6 too!". It'll, if anything, take less effort. It'll be more reliable too as there'll be no need for the router to record every single open connection, and therefore have to "time connections out" and stuff, which tends to be my #1 problem with it.

Re:NAT & firewall

[mindstrm]

If you think NAT buys you anything, you shouldn't be working in the security business.

What you might mean is that you have little hardware NATting firewalls that, in ADDITION to doing NAT also have some security features enabled (not forwarding connections from outside, for instance), so you don't have to do any work... but NAT by itself provides absolutely no security whatsoever.

Those little boxes could be Just as easy to use if we were routing real address space, and they could provide the exact same thing... and it's not harder. The only reason they do NAT is because there is a need for NAT.. not because it is easier, or more secure.

Re:NAT & firewall

I agree. In fact NAT breaks so many IP protocols it could be viewed as a DoS. NAT is an ugly hack that will hopfully go away with IPv6, unless too many clueless "security experts" keep spreading the FUD of NAT security.

Re:NAT & firewall

That's funny. If NAT provides nothing at all in terms of security, why is it that when someone tries to connect to my RPC port they instead hit the router's port (which is closed, of course).

Re:NAT & firewall

yeah they dont cost 10k for their looks..

Re:NAT & firewall

You think hardware NATing firewalls are immune to exploits?!?! And you claim it's your job to know better?!?!

Re:NAT & firewall

[MooseGuy529]

rather than a "Let's NAT IPv6 too!"

So you're talking about ISP's, many notorious for telco-like fee-per-computer-online behavior (Earthlink has a fee-based home networking system, and they won't support you at all if you get your own router) giving customers more than 1 IPv6 address? Either the standard has to end up giving each user a 256-sized block of addresses, or something like that, without a fee, or it's going to end up NATted, since nobody wants to buy multiple IP addresses.

Re:NAT & firewall

[merlin_jim]

Well I use the term NAT to refer to a piece of hardware that is actually a NATting Firewall... you are absolutely right that NAT by itself provides no security.

But I challenge you to find one single hardware product for sale today in a consumer electronics retailer that meets your definition of "NAT by itself"

Re:NAT & firewall

[TheCrazyFinn]

Because, in addition to NAT (Which just does Network Address Translation) you have the port closed on your firewall/router.

Re:NAT & firewall

[AchmedHabib]

Yes, but depending where you live it can be hard to convince the man(in my case RIPE) that you really need 1000+ IP's. And even when you get it, it's not free. and I would say that for the average company, using NAT is really not a problem.

Besides from the IP telephony is very much alive where I work but as hardware boxes, where each branch office has a leased line for network connectivity. These lines also carries telephone lines. Which is why when we got hit by the latest work, our internal phone network also went down with the overload on the routers. I am happy to say that I work with UNIX my Debian desktop was running fine. Sadly that didn't help much with a overloaded network. :)

Re:NAT & firewall

Well according to the other guy, I can get hacked through those closed ports unless I'm running a stateful packet filter. He's full of shit!

Re:NAT & firewall

That's it. I'm taking you offline, zangdesign!

Re:NAT & firewall

[TheCrazyFinn]

No he isn't. He's saying that you can get hacked if you're just running NAT. Closing your ports at the router is the most basic firewalling technique (It's usually called Access-listing), and you are doing both NAT and firewalling, not just NAT

Re:NAT & firewall

"Ban the AC post."

Fuck you asshole. Maybe some of us would like to post without every single post being archived under a single user name and used against us in future legal/divorce/PatriotAct proceedings.

Re:NAT & firewall

[squiggleslash]

No, though ISPs are certainly able to do that if they want. If you go into Staples or a similar consumer-office store, you'll find dozens of "DSL routers" on sale. These plug into conventional DSL or cable models, and provide the firewalling and NAT services to make sharing easy. Many, if not most, wireless base stations also include this functionality, and ISPs who actively prevent the use of home networking do so at their peril with the rise of wireless.

I use Earthlink. The rule is that they'll not give you support while you have a network at home. ie if you think there's a problem, before calling them, unplug everything and configure your system to be in the supported configuration. If it still doesn't work, call Earthlink. Earthlink doesn't want to have to babysit people through problems that are entirely unrelated to whether their service is up or not, and I can quite understand why. Yes, they charge extra if you want to get telephone support for a home network, and they have a "supported" home network too. If you know what you're doing, can support yourself, then you don't have to pay extra. All you must do is change the configuration back to the simple configurable one if you call them up. Sounds reasonable to me.

I believe the "local part" of the IPv6 net is considerably larger than 8 bits FWIW. I suspect ISPs will not give people single IPv6 addresses as it doesn't make a lot of sense for them to do so, why cripple the service you're offering? Still, a mandate, as you say, will help.

Re:NAT & firewall

[fmileto]

"I am happy to say that I work with UNIX my Debian desktop was running fine"
gnu = gnu's not unix

Re:NAT & firewall

[CableModemSniper]

But doesn't NATing kind of force you to have a firewall in a sense? At least for machines behind the NAT? How do you route incoming connections unambigously? Pick a random box on the NAT LAN? Duplicate the packet and send it to all the machines? I think to have NAT you must have a firewall at least for new incoming connections.

Re:NAT & firewall

[Guido+von+Guido]

Ur, no one is arguing that the extra IP addresses aren't useful with IPv4. :)

Re:NAT & firewall

[retrev]

block all

that's not so tough is it? linksys could easily fit that in a ROM on one of their consumer firewalls. even simpler than NAT actually

Re:NAT & firewall

[LucidityZero]

You can have a good and secure firewall even without NAT, in case you didn't know

Kinda, but not fully. Unless you have services that need be accessed, there is no reason not to use NAT. If you use RFC 1918 space, NAT outbound, you simply cannot hit my machine. You can't even reach it. Unless you compromise a dual-homed system, or find a modem that's answering, or steal a valid VPN key and account. But besides very unlikely situations, you just can't reach my systems. You try to hit the IP I have set on my box here, and your packets are dropped at YOUR router before they even hit the net.

Hell with a firewall and not using NAT.

Re:NAT & firewall

[clarkcox3]

No, NAT implies at least a minimal firewall. Take the following situation: You have a box that's doing NAT without firewalling. Someone tries to establish a connection to your public IP on port X. What does the NAT box do? It can't let that connection go through, because it doesn't know which private IP to forward it to.

Re:NAT & firewall

[coldiso]

what about pf with OpenBSD and a transparent Bridge you bunch of n000bs. Keep as many real worlds as you want and still get the beautiful pf firewall.

Re:NAT & firewall

[AchmedHabib]

:D I know, my workstation is not, however, the machines I administer is.
What I was meaning to say that I was not one of the Windows admins running around with a wild and tired look on their face because tons of PCs and servers got infected. I just migrated to the terminal room next to the server room where I could work with the machines.

Re:NAT & firewall

[Nurgled]

By blocking all incoming connections, you still can't accept connections from hosts on the Internet, so nothing is solved.

Re:NAT & firewall

[pHDNgell]

But I challenge you to find one single hardware product for sale today in a consumer electronics retailer that meets your definition of "NAT by itself"

I have one in my cube at work...it's called a LocalDirector.

Re:NAT & firewall

[Nurgled]

You're not thinking this through properly. The connection is addressed to the NAT box, so the NAT box will deal with it. It will probably simply ignore it because it doesn't have the need to accept incoming connections, but that isn't protecting your internal machines in any way. The packet was not addressed to your internal machines, so they are not involved in this situation.

With pure NAT and no firewall, I can (theoretically) tell my computer to route packets using your public IP address as a gateway and then connect to your internal IP addresses. The only reason this doesn't work in practice is because most routers on the Internet will drop packets which identify a remote box for routing. This restriction wouldn't exist, for example, on your ISP's network, and if you're on a cable modem, you're probably sharing that network with other customers who are untrusted.

If your NAT is one way, then the packets from the external host will reach your internal computers with their external address intact. On the other hand, if your NAT is two-way the router will rewrite the source address to be its own (internal) address, add it to the connection tracking table and forward it on to your internal host looking like it came from the router itself.

Re:NAT & firewall

Yes you can have a good firewall without NAT, but you have entirely missed the point. ISPs are now using NAT to turn all 'common' internet connections into 'one-way' request-lines, where you can ask for content or a service and have it sent to you, but you cannot offer any service or content yourself. This means your internet connection becomes little better than TV or Radio. Very bad for you, but good for industry control -- and you can be sure that after figuring out a way to keep you subservient, they aren't going to give power back nomatter how many IP addresses become available. The very property that made the internet great, is being subverted with the good ol' "bait and switch" con.

"Story at 11" you say? It's getting later all the time...

Re:NAT & firewall

[Torne]

Under IPv6, ISPs are expected to give customers (normal dialup users, cable, business, home, absolutely anything) a /64 to themselves. That's 2^64 addresses.

IPv6 is specifically designed such that every single user on every single network in the world can have 64 bits of address space to themselves. So, from your cable modem, you can give an IP address to every atom in your house. =)

I have no idea whether this is actually going to be mandated by a standard; this is just how it is *supposed* to work.

If ISPs don't do it, it would be pretty useless for them to only give you one address: IPv6 will not be able to allocate any block smaller than a /64 to any organisation, which will give any ISP enough addresses in a single allocation to provide a /31 to every single human being on Earth. In order for a single ISP to provide every human with a /64, they would only need a /33 prefix... (though there are only 131072 /33 prefixes, because 16 bits are used for a type indicator)

So, it would seem pretty, well, pointless for ISPs *not* to comply =)

Re:NAT & firewall

[Illbay]

But won't IPv6 sort of spell the end of ISPs as we have known them?

I mean, if you have more addresses available than computers that will be manufactured in the next millenium, why do I have to depend upon an ISP to dole them out parsimoniously?

Seems to me that you can get a block of the things assigned to you RIGHT NOW, with no muss/no fuss, more than you'll probably ever need your whole life (we'll probably end up bequeathing our network blocks to our posterity when we die).

The only thing you'll need then is a connection to the 'net. How long before that becomes as commonplace as getting telephone line?

IMO, we're headed toward "free flight" in terms of how you connect to the cyber-world.

Re:NAT & firewall

[merlin_jim]

I have one in my cube at work...it's called a LocalDirector.

Who is the manufacturer? Where can one purchase this device?

Re:NAT & firewall

[pHDNgell]

I have one in my cube at work...it's called a LocalDirector.

Who is the manufacturer? Where can one purchase this device?

cisco Systems. There's a bunch of them on eBay right now.

Re:NAT & firewall

[Nemith]

hmm... how about

deny all inbound

Wow, a firewall with out nat. The only reason most the hardware firewalls are NAT out of the box is due to the fact that most ISP's don't hand out more than one ip. So NAT is just there to share the connection.

NAT was a good idea and still is for overloading ipv4 networks. And yes it does work as a great natural firewall, but it's not the end all when it comes to security.

Configure and Monitor stuff on a non NAT firewall? Like what? And you are a TCP/IP security professional. I fear for your networks.

Re:NAT & firewall

[TheCrazyFinn]

You are assuming that Dynamic NAT(1 or more public IPs to multiple internal IP's) is the only kind of NAT. Static NAT (1 external IP mapped to 1 internal IP) also exists, and you can mix the two. What you say is actually only true for NAPT (Network Address and Port Translation) which is what most low-end broadband routers do. Static NAT and mixed-mode NAT do not behave as you describe.

Re:NAT & firewall

[Comen]

Not true at all, most littel Cable DSL routers I have seen, like netgear and linksys are nothing but NAT boxes. My Netgear is simply a NAT box, it does have a port filter, but if you call that a firewall you are mistaken. There is a big different between a port filter and a firewall that does statefull inspection of IP packets.

Also
this remark "you are absolutely right that NAT by itself provides no security"
Is total bullshit, NAT does by itself provide some security, I might give the poster of that remark some credit and asume he is talking about if someone (would have to be his ISP or next hop router) was to add a route to his private ip space they could depending on the NAT box access the local LAN. I have used this before on bigger firewalls even on purpose, but allowing the connections through the firewall rulebase.
But, in most all cases people that simply put a NAT box in front of there local LAN will be denying access to any open ports that didnt make a outbound connection first on thier local LAN, so how can you say that doesnt provide any security?
Subjects like this is what shows that allot of slashdot readers show post on what they know about. and not try to post things that they dont understand.

This argument is almost off topic anyway.
I found the artical agrevating also cause the author seems to dismiss that port forwarding the ports needed for Speak Freely is accepable.
He sounds like he wants the control of what ports are open and respond to outside connetions to be in the hands of the programers of the software we run, I dont belive that is a good idea at all. and will always prefer to have to open a port up myself, so I know what is allowed to connect to a open port on the local LAN.
I am not faying a firewall with NAT or without NAT is bad, on most big firewalls I run, I have internal interfaces that do use NAT and that dont use NAT. I consider both jsut as secure.
And probally the biggest differece is that the firewall wont allow just any outbound connections. this good for things like internet Worms that get installed through a email virus or something and a regular NAT box will not stop those outgoing connections at all, and remember that a NAT box will allow incoming connections as long as a otubound connection has request that return port open for that TCP connections, I belive most UDP connections are even alittle more insecure since they useually open the return port based on a time limit. since UDP is not connection oriented.

Re:NAT & firewall

[merlin_jim]

Configure and Monitor stuff on a non NAT firewall? Like what?

Let's address both of those seperately:

1. Configuration of non-NAT firewalls. I have yet to see a real world situation that warranted a firewall where denying all inbound traffic was a viable solution. Web servers, FTP, SQL, E-mail, etc. Sure, NATting firewalls require the same configuration... but generally the rules are MUCH simpler, since you're only routing one inbound IP Address. You're living in a dream world if you think that denying all inbound traffic is a one-size-fit-all solution.

Which brings us to:

2. Monitoring of non-NAT firewalls. Now that you've opened up your internal network to the world, you're just going to sit there and assume it's working? Fuck no! You've got to have intrusion detection systems, bandwidth, port, and deny-log reports. You've got to stay on top of it. And that's not to mention potential patches/updates... sure NATs can have exploits just like firewalls, but since a NAT implementation is much less stateful than a firewall, it's less likely to have them... How is this different from a NAT firewall? Well, since a NAT firewall enforces a simpler network design, the chance of intrusion is far less. For instance, I know every port that's internally routable on my home network... and they are all routed to a single IP Address. So all I have to do is monitor for intrusion on that IP and I'm done...

Re:NAT & firewall

[kasperd]

The only thing you'll need then is a connection to the 'net.

That should always have been the most important part of the product sold by your ISP. Most ISPs also have a bunch of servers web/mail/news you can use. I don't know how much providing those servers actually cost, but if they cost anything significant, the ISP should sell conectivity without access to their servers at a lower price.

Re:NAT & firewall

When it comes to the subject of operating systems, most of us can agree on at least one thing, and that is the simple plain truth that *BSD is dying. But the deeper question is why? Why did *BSD fail?

Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personas?

The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.

Re:NAT & firewall

[jehicks]

The only thing that NAT buys you is the ability to have multiple machines behind one IP address.

If you want security for a single machine without any configuration, a transparent firewall would work without needing to do any address/port translation.

In an IPv6 network, I would like my provider to give me a /48 or /64 network, so that there is no need for NAT and the application entanglements it causes.

Re:NAT & firewall

The perceived security of NAT lies in the lack of routing to private address space. In other words: Many people don't WANT to accept connections from hosts on the internet (at least not without explicitly configuring their hardware to make some exceptions).

Re:NAT & firewall

[Nemith]

This is completly insane. The same problems exist with a NAT firewall and a not NAT firewall.

The rules may be much simpler if you are only nat'ing one ip address. You add NAT'ing of more than one (like most companies need) then your configuration is much more complecated than a non nat firewall.

So lets say on my NAT firewall I redirect port 80 to my webserver. Then on my non-NAT firewall permit port 80 to go through to my webserver. What the fuck is the difference. I have allowed a security hole in both instances. Both have to be monitored just as much.

By default what does nat do. Not allow any inbound traffic. Same thing a non nat firewall could/can do.

Now you are confusing routing and NATing. With lets say a Cisco PIX firewall you can do firewalling with out nat. You make the PIX the default gateway out to the internet. Walla all the data goes to one spot. (as with any firewall). You should be able to snort, sniff, and ids to your delight at one access point. Oh and now you don't have to trace IP's back to the NAT'ed IP.

To think that a NAT firewall has _anything_ over a standard access-list based firewall is stupid.

Re:NAT & firewall

[Illbay]

if they cost anything significant, the ISP should sell conectivity without access to their servers at a lower price.

Ab-sim-o-lutely!

I'm just a "regular guy," a computer user. I'm a consulting engineer who works out of my home office, and I have a home-built AMD box sitting in the closet in my office that is my "Internet Server."

Email goes there. Yes, I use Earthlink (my ISP) SMTP, but that's so I don't have to fuss with the settings to make sure I don't serve as an open relay. I could just as easily send from here.

About the only thing I really use my ISP for is a newsfeed, because (again) I'm too lazy to set up to suck News because Usenet just ain't what it use to be. But again, I could probably set up NNTP and SMTP on my box one lazy Saturday if I chose.

And if I "own" my own block of IPv6 addresses, all I need is a line in/out. I don't care if Earthlink provides it, or my neighborhood grocery store.

Re:NAT & firewall

oh shut up.

I hate it when ignorant people speak.

If all you need is a port 80 and 21 firwall... I'll agree. But the moment you start talking about "statefull", "IDS", AntiVirus wall, VPN, SSH Tunnels... you seriously can forget your little d-links LOL...

You're just ignorant. Please, stay in your #linuxhelp channels, and make sure you don't influence anyone in thiking you actually know something.

FO.

Re:NAT & firewall

[Gojira+Shipi-Taro]

But I don't WANT to accept just "any" connection from the internet. I'll set up the router to accept from where I want to connect from if I have a need. I'm a home user. No one else has any business connecting to my internal machines.

Re:NAT & firewall

[3.1415926535]

ISPs are expected to give customers /48 networks, and if they don't, a generous amount of hell will be raised.

See, e.g., http://www.arin.net/policy/ipv6_policy.html#541.

Re:NAT & firewall

[3.1415926535]

I'm not quite sure, but it seems to me that you misunderstand the way IPv6 addresses are delegated -- it's not like you get a /48 assigned to you that's then yours forever. Rather, subnets are delegated to you by your ISP. This ensures aggregation that will greatly improve performance, but a side-effect is that you'll have to renumber if you change ISPs. That shouldn't really be a problem because renumbering is designed to be easy.

Re:NAT & firewall

[nr]

Many of us more experienced internet users do IP-telephony and videoconferencing. Which means accepting "any" connection (= any incoming phonecall) from anyone on certain ports.

How are you supposing to call someone who are behind NAT? You cant.

Re:NAT & firewall

[Illbay]

it's not like you get a /48 assigned to you that's then yours forever.

Here's one place you can go to prove you're wrong.

Re:NAT & firewall

[3.1415926535]

1. That /48 is delegated to you through freenet6, who acts as your ISP.

2. Freenet6 is a tunnel broker, which is not at all what I was talking about.

3. Try getting your freenet6 /48 network routed through he.net -- not gonna happen, which was my original point.

Re:NAT & firewall

Well I just setup a linux bridge firewall. Something you can't buy as a consumer level device like you can for a nat firewall hardware device. Works great and allows me to block all or block some only. Very configurable. If you want to find out more go to http://bridge.sourceforge.net

Re:NAT & firewall

[Nurgled]

Yes, but this story was about how IP telephony is made more difficult by everyone using NAT. The proposed solution (blocking everything incoming) does not make IP telephony any easier.

Why, oh why?

[Leffe]

Why did I discover this cool application in a discontinuation announcement?

I wish I had discovered it earlier.

Oh well, I can only hope that I can repent this mistake in my next life.

Re:Why, oh why?

Well since all of the SpeakFreely developers now work on the VoiceWeaver program you can just use that.

Re:Why, oh why?

[nutshell42]

Try Teamspeak - I always loved SpeakFreely but since I used Teamspeak for the first time, I've never looked back - the best voip software for Windows/Linux (If you use something else that won't help you much, of course =)

And it works with NAT (it's more or less like IRC with voice-capability)

Re:Why, oh why?

[aminorex]

This does not appear to be free software.
Can you clarify, what is the license?

Re:Why, oh why?

[anagama]

It sure isn't free - Server license:

The 'Software Program' ('Teamspeak Server') is a full freeware to everyone using it in a completely non-commercial way. Commercial users need to purchase a license to run the "Software Program". The expression 'commercial use' is defined by the two following points:

[snip]

Commercial users have to purchase licenses, more detailed information about buying licenses can be acquired by sending an email to sales@teamspeak.org

Re:Why, oh why?

[nadaou]

Why did I discover this cool application in a discontinuation announcement?

N.B.: it is open-source (public domain), and therefore only being abandoned by its original author, not being pulled from public use. It worked fine last year, it works fine now, and it'll work just as fine next month.

Speakfreely is a mature product that works well NOW. I use it all the time, even over a NAT'd router. All it took to get past the LinkSys was a few minutes of setting up the port forwarding rules in the router setup. No big fuss.

There will be updates and hopefully one day a SpeakFreely2 from speak-freely.sourceforge.net

Msg for John, the SF author: Don't let the bastards win!

obligitory ps -- update the goddamn debian package already!

Hrml

[Nuclear+Elephant]

Can you hear me now? Hello? Hello?

Re:Hrml

[Nuclear+Elephant]

How is that off-topic...or do you not know what SpeakFreely is designed to do? RTFA.

Why is this a Problem?

[Esion+Modnar]

I can set up port redirects on my firewall/router to send traffic to any given port on the public side to a specific IP address on the private side of the router. I do this now for using bit torrent.

Of course, I'm sure there are some technical issues here that are currently beyond my understanding...

Re:Why is this a Problem?

[Olathe]

According to the article :

Correct, but experience has shown that a large number of installed NAT boxes either cannot map an externally accessible port to an internal IP address and port, or those who install the boxes do not provide their customers adequate information to permit them to do this. Given the trend, discussed in the last question, toward confining individual Internet users to a consumer role, I believe fewer and fewer users will have the ability to statically map ports as time goes on.

Re:Why is this a Problem?

[Fred+Ferrigno]

But isn't the problem really the lack of static port mapping, not NAT?

(If you don't understand this question, please skip to the next.) Correct, but experience has shown that a large number of installed NAT boxes either cannot map an externally accessible port to an internal IP address and port, or those who install the boxes do not provide their customers adequate information to permit them to do this. Given the trend, discussed in the last question, toward confining individual Internet users to a consumer role, I believe fewer and fewer users will have the ability to statically map ports as time goes on.

Basically: "Users are too stupid to do port forwarding correctly." Which is probably true in many cases, but it's getting much, much easier to do port forwarding. It's not just cool open source software that's affected by NAT, it's also large commercial software, like computer games and other audio/video conference software. Linksys and D-Link don't want a reputation as user-unfriendly, so they're actively competing to make this easier for users.

Walker also lists an entire slew of other reasons, but if he used the NAT argument as his central reason to quit, I think he's being very short-sighted. Of course, "because I don't wanna" is always a perfectly valid reason in an open source world, too.

Re:Why is this a Problem?

[drsmithy]

Of course, I'm sure there are some technical issues here that are currently beyond my understanding...

For example, wanting to forward the same external port to two different internal machines.

Re:Why is this a Problem?

[TheLink]

Users who don't know how to configure port forwarding usually shouldn't.

People who don't know how to load a bullet into a gun shouldn't be firing guns.

The cheapest NAT box I bought is now USD43 when I last checked, comes with web configuration (only accessible on the inside interface) and it does static port forwarding. Very simple to configure too.

Re:Why is this a Problem?

[Bookwyrm]

It is not a matter of (just) static port mapping, it is more a fundamental problem in the way DNS works with Internet addressing -- or more specifically, the way way applications interact with Internet addressing. (This will no doubt invite flames from those outraged at the idea that there might be a fundamental problem/mistake in the Internet.)

More specifically, what happens when you have multiple machines behind the NAT device? How do you map the ports statically to multiple machines *and* also communicate this information to devices on the outside of the NAT device? (That is, port 80 on the NAT device maps to server1, port 81 on the NAT device maps to server2, etc.)

The key issue is that applications are using network level addressing (IP addresses) rather than application level addresses (URLs) to establish the network connection -- we have network specific information far too embedded in the applications, which is why the transition from IPv4 to IPv6 is such a nuisance. At the moment, the DNS SRV record could help with some of these matters by specifying a port number to use for a specific service and host/domain.

A better design for applications would be for them to be completely unaware of 'IP addresses' and function purely on URLs or hostnames + service name, and link to libraries or network drivers on the machine that handle the network aspects. Really -- excepting network mangement tools, what application bothers about the MAC addresses of machines or PPP negotiation details? IP addresses should not matter to the applications, either -- at that point, much of the arguments against NAT go away.

Honestly, the fact that NAT causes applications to break is more a reflection on mistakes in the architecture/application. IP packets themselves don't fall over and die just because they transition from a PPP link to wireless to ethernet to SONET to etc. The differing layers are independent of one another -- the applications have not yet been weaned off directly diddling with the IP layer.

Re:Why is this a Problem?

It's also a problem because a number of large ISPs do the NAT for you. Especially in the case of university networks, poor college students with high speed connections probably make up a large part of the userbase for this application. Unfortunatly in attempts to kill off p2p, etc, they've thrown the baby out with the bathwater.

Re:Why is this a Problem?

[Comen]

Fred, I totally agree with your post, I was hoping someone would more on topic and
mention that they might think that the Walker's NAT excuses was a little weak. Most
newer NAT hardware couldn't make it more easy for someone to port forward to a
internal IP address.
I also think its a good idea. Walker almost sounds to me as if he wants the control of
open ports to the internet to be in the hands of the software programer. I don't think
that's a good idea at all, and think that making users understand the difference
between being a normal client on the internet where MOST applications work fine
with nothing changed to a NAT setup, and being a server is allot different.
And making them go open the ports the server uses is a good thing. IT makes me
feel better when I know what ports have had to be opened and why.
Port forwarding is a nice thing, and even though on small home NAT boxes it might
be hard to do, on bigger firewalls give a huge amount of flexibility, so if you have
more than 1 port 80 that needs to be forwarded to use 2 external IPs but might still
have 500+ users hidden behind those 2 IPs or whatever. it allows the firewall admin a
great deal of flexibility that used to not be there.
I think that Walkers NAT excuses is a little weak in my opinion.

Re:Why is this a Problem?

Using NAT like that is a bit of a hack. It ceases to be a problem when your isp allocates you enough ip addresses. The reason NAT products are easier is because it's what people buy. If multiple ips/connection became common(on consumer isps) the firewall people would make something just as good and easy.

Perhaps the need for unique numbers will drive the take up of ipv6 (or slow it down because of conspiring telecos.)

Re:Why is this a Problem?

[plover]

I've used Speak Freely on and off since 1995, but mostly off because of the firewall at work. I long wanted to have been able to offer vendors and others the ability to contact me directly over the network, but even when I approached the guy who was running our firewall he said "no way in Hell am I going to open up a port." Even back then he recognized the danger of letting unrequested inbound connections through the firewall.

Personally, I don't think it's strictly the fault of NATing; I think it's firewalling in general. I also think of the security issues that would arise if we weren't all cowering behind firewalls. Given the recent worming of the net, consider the damage that might have been done if Speak Freely were running by default on every installation of Windows XP. How many more security holes would have opened and closed? How many more worms would have propagated if ports 2074-2076 were left open by default?

I'm sure there was a lot of "I'm done with it" in his decision and that he may have been looking for an excuse, but he's right in that firewalls in general have long been the bane of peer-to-peer apps.

Anyway, I'll miss LWL. It reminded me a lot of the old days of ham radio.

Re:Why is this a Problem?

Walker also lists an entire slew of other reasons, but if he used the NAT argument as his central reason to quit, I think he's being very short-sighted.

Do a bit of research on walker: he's had his finger in a mess of important interesting things many years before anybody else even figured out what they were, let alone why they were important. short-sighted, he's not.

Re:Why is this a Problem?

[nr]

But our corporation has >10000 desktops worldwide in 135 different countries which are behind NAT. Do you want to configure a specific port-mapping for each them? give me a break..

sad to see it go

[NumLk]

I used this software several years ago. While it does exactly what it does, the biggest problem was the sever lack of an installed base. Once Yahoo started integrating voice chat into their IM client, I really had no use for it. Its unfortunate though, since I always felt the sound quality was inferior on Yahoo (and the others that have since come along), but I'd imagine that was due to those clients compressing more to save bandwidth.

Re:sad to see it go

[Sonnenschein]

Curious if you have had any luck running Yahoo Messenger (Windows port with voice) in Wine, if you've tried ? I played around with it a few months ago and blew a few gaskets trying to get the thing stable... no real success so far.

Re:sad to see it go

There are very good reasons for using SpeakFreely instead of an IM-based VoIP program. But take a look at SpeakFreely's homepage: Do they really expect to reach critical mass without so much as a screenshot? Instead you get lists of technical info with acronyms everywhere. Don't get me wrong, hard facts are very useful, but please, it's a PHONE - people will want to know what it looks like before they install it.

Re:sad to see it go

[NumLk]

Honestly I've never tried. I only use Wine when I absolutely have to run a Windows app in Linux. Generally, I keep an old junker under my desk for apps that really only run on Windows (I.e. Yahoo IM w/ voice, etc), and use VNC from my Linux machine.

Security

As we all know, proper network security is vital to keep our systems from being used by terrorists

Re:Security

[MimsyBoro]

Don't click the link. It is to horrible to even begin to imagine...

That's too bad

[Rosco+P.+Coltrane]

SF is a great program. It's not graphical bloatware, it supports many compressions, it's somewhat modular ... I've spent countless hours getting a stable 2-way voice comm over a 33.6 dialup link, back in the days, and it actually worked at some point (the rest of the time it didn't, which prompted me to change from AOL to an Internet provider. Thanks SpeakFreely!)

When I discovered I could have a voice converstaions with anybody in the world, I was so excited I picked up my phone to tell my friend in Canada :)

Dont' prepetuate myths.

[mindstrm]

NAT is about address use, not security. In no way should NAT ever be confused with security, even if it appears to give you some security.

Every single security feature you like about NAT can also be had without NAT.

The common things people think they get with nat:

- Connections that must initiate from inside the network.
This is easily achieved with a normal firewall and routable addresses as well.

- My addresses aren't routable, so I'm more secure.

No, your addresses are perfectly routable, just the internet at large does not route them by agreement. Your ISP could easily configure it's routers to get traffic in to your network on those addresses.

- It hides the real addresses of my machines.

Not really... or more accurately, to an outside attacker, those addresses dont mean anyhting anyway. Whether they are known or not is not relevant. A firewall in front of a network of routable addresses could hide things equally well.

NAT by itslef does not reduce exposure. The best example of this would be those who configure nat in a hurry on linux 2.4 systems..... they set up an SNAT or masquerade rule in postrouting, and that's it.
That's nat, full, 100% working nat.
With absolutely no security.

The ISP could route to their internal network, no problem, making connections to whatever they want.

This is easily fixed by a few rules.. but then you are into firewalling, and not NAT at all.

Re:Dont' prepetuate myths.

[Srin+Tuar]

The ISP could route to their internal network, no problem, making connections to whatever they want.


Care to justify that?
If you control your NAT router, there is no way the ISP can initiate inbound TCP connections to arbitrary machines behind your NAT box.

I do agree that NAT isnt really security, just a very easy to setup a firewall that allows outgoing connection initiation only by default.

Re:Dont' prepetuate myths.

[AftanGustur]

The text says : I know I enjoy the added security of a NATed firewall,

But since this is /. nobody has a brain and you got modded up..

- It hides the real addresses of my machines.

Not really... or more accurately, to an outside attacker, those addresses dont mean anyhting anyway. Whether they are known or not is not relevant. A firewall in front of a network of routable addresses could hide things equally well.

Uhh, a network appliance that does NAT, usually has a configuration that makes it a firewall.. Can you name any network device that does NAT and is not used as a Firewall ?

NAT by itslef does not reduce exposure. The best example of this would be those who configure nat in a hurry on linux 2.4 systems..... they set up an SNAT or masquerade rule in postrouting, and that's it.
That's nat, full, 100% working nat.
With absolutely no security.

I think you either are trolling or you don't understand the concept.
A single SNAT rule (as people use) only works one way. i.e. You can connect from "inside" to "outside" but the braindead Microsoft services that run on the workstations behind it are not exposed to attackers or Worms (F.ex. Sobig.f)..

"NAT", just as a "Firewall" is a *service* provided by one or more network appliances, and there is no one *right* combination of services that can be called the "one true firewall".

Re:Dont' prepetuate myths.

Let's say your "hidden" system is at 192.168.66.6 and your ISP has a system with IP address 267.13.90.10. What (except for the unusual octet) would stop your ISP from initiating a connection from 267.13.90.10 to 192.168.66.6:135? In absence of a firewall, your router would take the TCP-SYN packet, look at the routing tables and decide to pass it on into the internal network, where your hidden system accepts the connection by sending a TCP-ACK packet. This and all further packets pass the NAT router unmodified because they're not part of a connection which is listed in the NAT table. So, a NAT device does not necessarily protect against connections from the outside. Throwing away inbound SYN packets destined to addresses which the NAT box does NAT for is an extra, not strictly necessary step, commonly referred to as "firewall".

Re:Dont' prepetuate myths.

[ortholattice]

Thank you for writing this. I understand all the usual reasons for using NAT. However, a few years ago I configured a Linux transparent firewall as the main firewall for our small company (with iproute2/iptables) and have used it for several years without a single problem. (The historical reason was that we needed to connect to a VPN that used IP protocol 47, which at the time wasn't easily NAT'able, plus we have plenty of unused static IP's anyway.) It had an uptime of almost 2 years until a long power failure defeated the UPS.

Anyway over and over I have to defend myself against the naysayers who say NAT is inherently more secure, but when pinning them down can never provide a logical reason. Recently my boss ordered me to change everything to NAT, "because it's more secure - it just is, everyone knows that", burdening me with yet another pointless thing to do. I'll show your post to him.

BTW iproute2 is simply an amazing program. If you're into firewalls and routing on Linux and haven't heard about it, you should look into it. It lets you do almost anything (transparent firewalls with ARP proxy, for example).

Re:Dont' prepetuate myths.

[Spirilis]

So the point being made here is that an ISP who specifies a static route to your internal network by way of your external IP, can successfully route packets into your private network.

e.g., ISP's system "linux1" could issue-

linux1$ /sbin/route add -net 192.168.66.0 netmask 255.255.255.0 gw

and voila, instant routing to 192.168.66.6!

Re:Dont' prepetuate myths.

[Thomas+Charron]

- Connections that must initiate from inside the network. This is easily achieved with a normal firewall and routable addresses as well.

They think they get it with NAT, and they do. You stated it as if they don't get it when they think they do.

No, your addresses are perfectly routable, just the internet at large does not route them by agreement. Your ISP could easily configure it's routers to get traffic in to your network on those addresses.

Have you never heard of a netmask? Try it sometime.

Not really... or more accurately, to an outside attacker, those addresses dont mean anyhting anyway. Whether they are known or not is not relevant. A firewall in front of a network of routable addresses could hide things equally well.

Again, your stating something you could get another way, but NOT stating something NAT doesnt provide. Aka, where's the Myths your trying to clear up?

The ISP could route to their internal network, no problem, making connections to whatever they want.

I sense you speak from a lack of knowledge. Netmasks are there for a reason, and every NAT box I've EVER seen uses netmasks to specifically NOT allow the sort of thing you speak of. And as far as an interface routing packets for the wrong interface, you'd have a busted IP stack if it'd pickup stuff transmitted to it that don't fit it's netmask..

Re:Dont' prepetuate myths.

[Thomas+Charron]

Sure. If they call you up and say 'Dear Mister or Miss Dumbass, please goto your linux box and type this.'. Go ahead on any standard linux box whos routing, and type route print. Note that there is an ADAPTER there..

Re:Dont' prepetuate myths.

After all these explanations, you still don't get it?

Re:Dont' prepetuate myths.

The netmask is used to determine if a packet needs to be sent to a router or if the target machine is on the same network and can therefore be contacted directly. It has absolutely nothing to do with rejecting packets. A firewall might use the netmask to create filter rules (which wouldn't get in the way of NAT-penetrating packets btw), but that is a function of a FIREWALL, not of NAT. The simple truth is that just because you're translating outbound connections so that they appear to originate on your NAT box, not a single incoming packet is rejected. If packets are rejected, that is the work of a FIREWALL. Very often these go together, but they are fundamentally different aspects of a network topology and should not be mixed up.

Re:Dont' prepetuate myths.

[asdfghjklqwertyuiop]

They think they get it with NAT, and they do.

No, they don't. With NAT, they get NAT. Nothing about NAT stops packets with internal source addresses from being spoofed on the outside interface, or packets with internal destination addresses from being sent to the external interface by the ISP or source routing.

All that stuff is prevented with plain old filtering rules, which have nothing to do with NAT. You'd use them the same way without NAT.

The ISP could route to their internal network, no problem, making connections to whatever they want.

Netmasks are there for a reason, and every NAT box I've EVER seen uses netmasks to specifically NOT allow the sort of thing you speak of.

I have to agree with the other reply you got on this one. You don't understand what netmasks are. All a netmask does is declare the size of the network (IP-wise). It has nothing to do with preventing spoofed packets from making it past your router.

Re:Dont' prepetuate myths.

Let me ask a question. Do you REALLLLLY trust your isp? Do you think they are competent? I dont know about you but I dont think mine are exactly mensa candidates.

What if THEY own the router? What am I talking about? A friend has dsl in the county next to mine. Well its run by the phone company there. They are not exactly a top shelf group. They know enough to get DSL to work sorta (lots of drops and no connects). But they have the passwords to the 'routers'. They are the NAT/Router boxes. These are the boxes they give to the customers to connect. What if one guy who takes some class figures out he can make everything better does this? Would you KNOW? How would you know. Your just surfing the web. One day everthing is cool the next your box is OWNED. All because some high speed dippo thought he knew what he was doing. Dont think mistakes like this happen? THINK AGAIN. They can not even figure out how my friends phone line should be wired up and your talking 2 wires here. He regularly has to call them (on his cell at his expense) to have the put the wires back in the right place so he can surf the web again. What if they 'get a bit smarter'?

Me? I have a cable modem. I put in a NAT/Router/Firewall. Its on my side of the network. The cable companies box is not even a fire wall its pretty much DOCSIS to ethernet. I own the passwords in this case. But it is not always that way...

NAT buys me NOTHING. It just lets me use more IP's than I really own. Thats all it does. The firewall part is what gives me some safety. NAT in reality just gives me a headache because IP is NOT meant to be used this way.

IPv6 will be the future. Its not a matter of if but when. It has that 'coolness' factor right now. But it is quickly growing into the 'needed' factor.

Lets say every household has 1 ip for their computer. Some will need 2 or 3 for their computers. Then lets say every company needs one maybe as many as 100 per company. Lets say everyone with a cell phone needs one. Lets say every mobile computer needs one. Lets say every phone number needs one. Lets say every car needs one. I put it to you that we have already run out of IP's and are using a hack that just breaks the internet. Just as everyone is pissed that verisign broke the internet in their own way. We are breaking it with NAT one router at a time.

NAT has its uses. Computer hiding is not the end all be all of security. If its all you have your computer could EASILY be broken into. And it would not even need to be from the ISP. It could be done by one of your neighbors (same subnet). I sure hope you do more than that.... Sure hope you get along with them.

NAT to death.

[pr0ntab]

192.168.0.5/16!

No...

172.18.1.3/12!

No, please, stop

10.255.255.255/8!

AAAAAHHAHAHRRRGGNO CARRIER

try skype

[LennyDotCom]

I haven't seen this on /. yet maybe I just missed it http://skype.com/ very cool p2p voice over IP

Yeah that's right, SF and NAT don't work together

[Rosco+P.+Coltrane]

I tried contacting 192.168.0.1 and I keep getting larsen. Disappointing really ...

NAT for security... Not!

[rusty0101]

Just as a point of observation wrt NAT for security, I would like to note that NAT is wonderful at making your system incapable of acting as a publicaly accessible network server, but does nothing for a large percentage of the viruses and worms that exist on the internet at this time.

In fact it can be a serious problem as a significant percentage of the people with NAT on their Broadband gateway are doing little or nothing to improve their desktop security. Why be worried when the gateway will block NAT traffic for me?

I am probably preaching to the choir, but as a simple example of the flaw, you probably still get, and read e-mail, even behind your NAT firewall. If someone sends you an infected file as an attachment, (that you happen to execute, automatically or deliberately) that happens to be an IRC-Bot that will turn your workstation into a rdos center, your NAT box is unlikely to do anything to protect your PC. In fact now that the bug is running on your system, it has the potential to check for other systems in your home network that are vulnerable to various exploits that you haven't patched for, because you are "safe behind my nat firewall".

Suddenly you have multiple boxen in your network that are all accessing the internet without your awareness, and downloading whatever the bug writers have decided to have them download. It's not even remotely improbable that your NAT secured network may become a spaming source without you knowing about it.

NAT as a security tool is the network equivalent of Security through Obscurity, and is just as flawed.

-Rusty

Re:NAT for security... Not!

[Rosco+P.+Coltrane]

Just as a point of observation wrt NAT for security

For the nth time, NAT has nothing to do with security. NAT is essentially an IP address multiplexer. If used to be for people who didn't want to pay for more than one IP but wanted several computers to access the Net several years back, and it used to be frowned upon by ISPs, if not outright prohibited by them. Now it has become a necessity due to IP shortage, and you'll notice most ISPs don't mind anymore for that very reason.

Again : NAT HAS NOTHING TO DO WITH SECURITY.

Re:NAT for security... Not!

[rusty0101]

Did you even read the observation?

Re:NAT for security... Not!

If someone sends you an infected file as an attachment, (that you happen to execute, automatically or deliberately) that happens to be an IRC-Bot that will turn your workstation into a rdos center, your NAT box is unlikely to do anything to protect your PC.

If this infected box is behind NAT, it can't work as a distributed denial of service attack-zombie since it still can't receive any commands.

Re:NAT for security... Not!

[blair1q]

Useless. If I wanted to actually talk to slashdotters, I'd run for office.

Re:NAT for security... Not!

[Guido+von+Guido]

This isn't even true.

You've got a worm that installs a trojan which runs a DDOS program. How do you find out which machines the worm has installed the trojan on? One way is to scan for them, but this is time consuming.

Alternately, you can have the trojan connect to you for instructions. As this is an outbound connection, NAT will permit this. (This is noticeable, too, but

You can forbid this with an access list on your firewall, of course, but that has nothing to do with NAT.

I should also point out that those same access lists will also tend to prevent the trojan from receiving instructions.

Re:NAT for security... Not!

[squiggleslash]

I think you just repeated what he wrote.

Re:NAT for security... Not!

[rocca]

Huh? NAT has nothing to do with email worms -- NAT is a network layer protocl -- email is an application layer protocol. Comparing the two issues is like saying "my car isn't protected from accidents because someone might shoot my through my front window"

Whining galore

[Jailbrekr]

But isn't the problem really the lack of static port mapping, not NAT? (If you don't understand this question, please skip to the next.) Correct, but experience has shown that a large number of installed NAT boxes either cannot map an externally accessible port to an internal IP address and port, or those who install the boxes do not provide their customers adequate information to permit them to do this. Given the trend, discussed in the last question, toward confining individual Internet users to a consumer role, I believe fewer and fewer users will have the ability to statically map ports as time goes on.

I call BULLSHIT. Each and every firewall/nat box I have worked with supports reverse port mapping, DMZ, or uPnP. It sounds like he is having trouble adapting to the changing technology.

Re:Whining galore

[caluml]

At first, when you first discover NAT, you think that it's a good thing. Then, after a while with it, you realise it's limitations.

Tell me, how do you support more than 1 user behind a NAT device wanting to do H323/SIP without some kind of application layer gateway/proxy?

Re:Whining galore

*ding ding ding* give the man a cookie!

i'll dumb it down in case you've never heard of h.323 or anything of that description.

lets say there's this protocol for a program. it assumes that all content will be delivered from a static port. lets call this port '80' for kicks, and to really make it easy to understand. so, if i have a system behind a NAT that wants to serve content, i have to do the following:

on the NAT-box: all connections to port 80, forward to 10.0.0.2:80. fairly straightforward.

however, what happens when i want to have two machines inside the network both serving content?

well, i could have the NAT box forward all connections to port 80 to 10.0.0.2:80 and port 81 to 10.0.0.3:81. however, this mythical protocol that uses port 80 has a lot of clients implementing it that are stupid and always assume port 80 is the one to connect to. all of a sudden, binding a forward to port 81 isn't an option.

many industry-standard protocols act like the mythical protocol described above. they listen on defined ports for incoming data ('push' would be the buzzword). this totally pooches the NAT user with many people behind the NAT.

now, we see the problem. NAT is good, but it introduces a lot of limitations! these can be defeated by climbing higher up the OSI model and implementing proxy/gateway setups on the NAT box but that doesn't help when your NAT box is a dumb piece of hardware that can only be told to forward packets at the IP layer..

Re:Whining galore

1) What's wrong with an application layer gateway / proxy ? It means that you can't use a $50 hardware router, you have to buy a $50 used computer and install linux, but what's the big deal ? Simple easy to configure firewall / NAT / routers such as smoothwall will have a clickable turn on H323 gateway as that gets more popular.

2) What's wrong with routing different ports to different machines behind the NAT ? For example, if I have 5 webservers I am setting up for various customers, and I need them to be able to check them out before heading down to the co-lo, I can make the urls myhomebox.dyndns.org:8080, myhomehox.dyndns.org:8081, myhomebox.org:8082, etc. Essentially IP address space is mapped into the port address space. You can't do this with SIP or H323 ?

Just for the record, I do consider the ISPs to be holding back the internet with their various misguided attempts to cripple their own service. It just seems that there is a work around in this case.

Re:Whining galore

Incoming blockquote!

1) What's wrong with an application layer gateway / proxy ? It means that you can't use a $50 hardware router, you have to buy a $50 used computer and install linux, but what's the big deal ? Simple easy to configure firewall / NAT / routers such as smoothwall will have a clickable turn on H323 gateway as that gets more popular.

Thanks, Mr. Elitist, but the rest of the planet doesn't want to learn how to become a Unix administrator just to make Netmeeting work. After all, you just admitted that your 'turnkey' solution isn't one, and requires an update to do H323.

Re:Whining galore

You simply don't have both servers serving content directly behind the same NAT. Something doing logic should be in front of them. Why would a business buy a 4 slot router and use that as their entire solution???

Re:Whining galore

Well, all that means is that when the whole world needs to do it, there will be a bootable CD that autodetects everything, and the non-Unix administrators will download it and boot it.

Like smoothwall, as I mentioned.

Look at the product sold at martian.com. Think you need to be a Unix Administrator to setup a samba shared file server and printer ? No, just pop in the disk and boot.

Re:Whining galore

Sounds like you're projecting yourself.

What's NAT have to do with addresses per machine?

[petard]

I know I enjoy the added security of a NATed firewall, and without a really good reason, I won't be quick to give it up.

What makes you think that NAT implies one address for many machines? Even if you want the extra security provided by NAT, if you have many addresses available, you can translate one routable address per internal machine. I certainly look forward to IPv6 for this reason, but I'm not holding my breath :-)

In Europe ISPs do not NAT their customers!

Here in the netherlands at least, both the major broadband providers (UPC adn KPN)give all customers a generically routable IP.

Customers using a cable modem or dsl modem get a live wild-side IP and a unique hostname such as:
node139a2z.xs4all.nl
by which they're already DNS addresable.

Most commodity OS's and even the cheap (horrific!) home-router products I've seen have port forwarding capablity,so there's really no such problem as he describes here.

Does anyone have different experience elsewhere?
The States, for instance? I'd like to hear.

Liam.

Re:In Europe ISPs do not NAT their customers!

I live in the netherlands and have a static ip from my ADSL providwer.

However my ADSL modem , which has just 1 ethernet port, uses NAT by default.

So I had to setup portforwarding on it to use certain services.

And if you use more pc's on your broadband connection you will have to use NAT since you only get 1 IP (Or you should look for provider that gives multiple ip's)

Re:In Europe ISPs do not NAT their customers!

In the states many of the ISPs do not give you a DNS name to your IP address. You have to provide that yourself through a service such as dyndns.org, which cannot provide the reverse lookup. The big cable modem ISPs claim this is part of the "business" package, and separate out that service so they can slice up the market more finely.

Re:In Europe ISPs do not NAT their customers!

What ADSL modem do you have?

I have an e-tech router product/modem that somwhat sucks, but it has bridge mode for direct pptp tunneling to the provider (phew now I can use linux netfilter instead!).Alcatel non-router modems work this way too.

But what I really want to know:

Are there broadband providers out there like @home in the states etc, who are really providing connectivity *without* a wild side routable address to their customers, truly deining them inbound connectivity !!?? I never heard such a thing...

That would be quite serious, in which case,he has a point!
Liam.

Re:In Europe ISPs do not NAT their customers!

[frohike]

Here in the netherlands at least, both the major broadband providers (UPC adn KPN)give all customers a generically routable IP.

...

Does anyone have different experience elsewhere? The States, for instance? I'd like to hear.

Not only do most (all?) of the US broadband providers give you a globally routable IP, many of them actually get angry with you if you try to use NAT, because they want to have a one IP to one machine mapping for charging your account. Comcast in particular even has language in their AUP that says they may take legal action against you if you try to use NAT to install more machines (which is totally stupid, but there it is).

I've got a lot of respect for Walker in other areas, but this NAT rant is just barking up the wrong tree. NAT boxes are installed by users so that they can get more functionality out of the limited IPs available to them, not by ISPs to limit the users. I know Cox cable will help you install a NAT network, but they by no means require it or lock it down. At any time you could simply plug your machine straight into the internet and be just like everyone else. Or get a better NAT box!

On the other hand, saying that the internet is transitioning to a client/server architecture at the hands of corporate overlords isn't a big stretch at all (limited upstream, blocking HTTP ports, etc) but it has nothing to do with NAT.

Anyway, as others have said, if he is just tired of writing the program for a perceivably uninterested audience, he should just stop and turn it over to an SF project, like he's done. No need for this NAT rant...

Re:In Europe ISPs do not NAT their customers!

You do realize, of course, that the problem is not with ISPs NATing their customers, but with customer's NATing themselves because they have more than on computer yet the ISP just gives them a single IP address and charges exhorbitant prices for more IP address without increasing the bandwidth available to the multiple machines.

Re:In Europe ISPs do not NAT their customers!

[GiMP]

The funny thing about comcast, although they "require Windows or Macintosh" and disallow NAT.. they have a forum at comcast.net with such topics as using "alternative OS" and "home networking".

Although the marketing and sales departments are quite against anything but MacOS 9 (yes 9) or Windows 95/98/XP (no 2000/NT), their technical staff careless about what you run.. and they may infact endorse it.

The technical guys still won't give you help with your Linux box.. but if you give them specific, os independant questions, they will do fine.

Re:In Europe ISPs do not NAT their customers!

According to research at an English university, "careless" is an adjective and not a verb as you used it.

I think you meant that the technical staff "couldn't care less".

Re:In Europe ISPs do not NAT their customers!

[valkraider]

Actually, Comcast is about to start a service where they will charge you someting like $12 a month, and they will PROVIDE and SUPPORT a home network AND WIRELESS connections, AND double your pipe speeds. It will hit at the same time their HD signals and VOD services hit, probably this fall. They are training, and seting up the infrastructure to administer and bill for this service as I type this.

Re:In Europe ISPs do not NAT their customers!

[squiggleslash]

I've got a lot of respect for Walker in other areas, but this NAT rant is just barking up the wrong tree.

No, he's right. There's a difference between recognizing that something is, by and large, necessary at the moment, and feeling it necessary to believe it's a good thing. NAT, or more generally, coding an entire network as a single IP address (be it NAT, transparent proxies, whatever) is a hack. It's godawful, braindamaged, cripples-the-Internet, hack. It also happens to be just about the only tool available to allow the vast majority of us to hook a network up to the Internet. Which is why we all use it. I suspect even Walker uses it. I use it.

Likewise, I used to use a MODEM to connect to the Internet. Imagine! I used to use a box that remodulated digital signals to convoluted wave forms so that another box, on the end of an electric cable, could demodulate them and convert them back into digital signals. That was fucked up. It's still fucked up when I use the things today. It's the wrong solution, but it was the only solution, and today it quite often still is. I think we can all safely say that someone criticising the use of modem connections as braindamaged is not criticising their users or suggesting that modems aren't necessary because of current circumstances.

When IPv6 comes about, we need to ditch NAT. It offers no security advantages that "blocking all incoming connections by default at the router" does anyway. And IPv6 is, by itself, going to add a layer of security because worms, etc, are going to have to be far more clever to find local hosts, scanning a range of IP addresses will take years to do. Let's at least accept that NAT's a problem, even if we have no choice but to use it to get the job done at the moment.

Re:In Europe ISPs do not NAT their customers!

[andrew+cooke]

Here (Santiago, Chile), I get an externally visible address for my cable modem, but it's via DHCP, so can change (in practice, it does so very rarely, so I use it as webmail server; my public site is with a colo in the USA). I can't remember what the contract says, but I wouldn't be surprised if I was only supposed to have one machine connected (that was the case in the UK, when I was there). However, nobody has complained about my using NAT (I have a Linux box as firewall with two internal subnets - one has the Linux box with a Windows machine, the other is connected to a wireless hub; the wireless subnet is filtered by MAC with *no* direct local access to the firewall machine).

Re:Yeah that's right, SF and NAT don't work togeth

[nbvb]

Yes, but where's berra?

IETF tools for media through NAT

[__aadkms7016]

The IETF midcom group has been working on solutions for passing media streams through NATs and other middleboxes for a few years now. One protocol, STUN, is already a standards-track RFC, and the group has other tools in progress. These tools work with the IETF multimedia suite (SDP, SIP, RTP, etc).

No static port mapping?

[LoadStar]

First off, let me say I have no idea what Speak Freely is. My comments are solely in response to some of the reasons he gives for discontinuing the program.

Had his reasoning behind discontinuing the project rested solely on his lack of time and an aging code base, I don't think I'd have an issue. Instead, he goes on to blame the NAT protocol and boxes that implement it, like the very popular cable/DSL "routers," and many of his issues seem to either misunderstand them or deliberately misstate what they can do.

He makes comments like, "Since the user no longer has an externally visible Internet Protocol (IP) address (fixed or variable), there is no way (in the general case--there may be "workarounds" for specific NAT boxes, but they're basically exploiting bugs which will probably eventually be fixed) for sites to open connections or address packets to his machine." He continues to state, "experience has shown that a large number of installed NAT boxes either cannot map an externally accessible port to an internal IP address and port, or those who install the boxes do not provide their customers adequate information to permit them to do this."

First of all, I have yet to see a NAT device that cannot statically map ports to a machine inside the local area connection. If there is one, I'd love to know about it so I can tell anyone to avoid it. Some are more rudimentary than others - like one I know about that has no UI to distinguish TCP and UDP inbound ports - but they all offer some way of mapping inbound ports.

His argument that they don't provide sufficient documentation to allow end-users to do so, and this may be the case. But if one is to discontinue development of a program based on the fact that someone else is providing poor documentation, there wouldn't be any development going on - documentation for most hardware/software products in the last 3 years or more have been horrid in my experience.

His argument that the internet is moving towards a client-server model rather than a peer to peer model is undeniable. It's been moving that way since they allowed home computers on the internet, and shouldn't be a surprise to anyone. Still, this doesn't mean the "clients" can't continue to utilize products that utilize a peer to peer architecture. He dismisses peer to peer file sharing products while overlooking the fact that they're the most successful peer to peer architecture network to exist in the history of the internet, and disproves his argument that NAT spells the end of peer to peer.

In the end, it seems he just didn't want to continue developing his program - and instead of being honest, he thought he'd use this opportunity to climb on his soapbox and make some waves by blaming NAT for the ills of the internet and the death of his program.

Re:No static port mapping?

[Graff]

In the end, it seems he just didn't want to continue developing his program - and instead of being honest, he thought he'd use this opportunity to climb on his soapbox and make some waves by blaming NAT for the ills of the internet and the death of his program.

I don't think it quite comes off that way. I believe that his point is that most people who use his software are simply operating behind a NAT and either don't know how or are not bothering to redirect a port to an internal IP. So what is happening is that the program does not work well for those people and so the program is falling less and less into use. Given that situation I can totally understand the desire to shelve further support of a dying program and I don't blame him for what he is doing, he is taking the most graceful out he can.

Yes he could solve the problem by setting up a central server and acting as a meeting place/redirector. However, he is totally correct that the bandwidth issues make this option less than optimal for a free service and the additional administration overhead is PITA also. So I think that the developer is spot-on in his explanation and is actually doing his best to inform people as to the how and why of the situation, not that he is using this as a soapbox against NAT.

Re:No static port mapping?

[FrostedWheat]

He dismisses peer to peer file sharing products while overlooking the fact that they're the most successful peer to peer architecture network to exist in the history of the internet, and disproves his argument that NAT spells the end of peer to peer.

It could. P2P services still work because there is a still a significant number of users not behind any kind of NAT box. If everyone was behing a NAT box, none of those P2P apps would work.

I just hope NAT dosen't become the 'default', but it looks like that's what is going to happen. There are single user USB modems these days that use NAT!! *shrugs*

Re:No static port mapping?

[hey!]

First of all, I have yet to see a NAT device that cannot statically map ports to a machine inside the local area connection.

True, but to be fair, you are making two assumptions:

(1) The user who wants SF controls the firewall and
(2) The user wants SF knows how to configure the firewall to forward ports

Generally, in IT suppported situations (1) will be false; in home situations (2) will be false.

So, for the majority of potential users behind NAT boxes, NAT is a significant enough barrier to using this program to disuade experimenting with it.

But if one is to discontinue development of a program based on the fact that someone else is providing poor documentation, there wouldn't be any development going on - documentation for most hardware/software products in the last 3 years or more have been horrid in my experience.

Depends on whether you can take the pain for the user. If the problem is that the Foo API is poorly documented, then you can insulate the user from it. If the problem is that the user has a tough learning curve before he can try your stuff, it's a big issue. I was screwing around with an open source java project recently that (a) provides source code only and (b) uses a non-standard build system and (c) has lots of dependencies. After spending a couple of days, I was making progress on it, but eventually decided that the expected return on my efforts didn't justify using it over a different means of getting the same thing accomplished.

Re:No static port mapping?

[drsmithy]

First of all, I have yet to see a NAT device that cannot statically map ports to a machine inside the local area connection.

Port forwarding is a functional, if somewhat fiddly, way to allow direct connections in.

Unfortunately, as soon as you have multiple clients behind the NAT box it becomes at the very least a major PITA (if you have to organise a specific port mapping for each person and whomever wants to connect to them) and more likely completely broken (in the case of applications that cannot change ports or no way of telling clients which non-standard port to use).

All the people saying that there's no problem with NAT and that port forwarding works great need to consider the scenario of multiple clients behind the NAT box.

Re:No static port mapping?

[Kufat]

If everyone was behing a NAT box, none of those P2P apps would work.

Step 1:
Forward a port range to the machine running your peer to peer program.
Step 2:
Tell the peer to peer program to use that port range.
Step 3:
Manually input your external IP into that program. (Usually, this is next to the box where you specify your port range.)

It's not rocket science, folks. That's how I can connect to another Direct Connect user who's also behind a NAT, and how I can have a ftp server that works in both active and passive, and etc etc etc. It's sometimes a pain in the neck, and not all applications support specifying your external IP, but more and more are adding that feature.

Re:No static port mapping?

[smallpaul]

What if there were a standard whereby applications inside the NAT could request statically mapped ports?

Re:No static port mapping?

[Moofie]

Yeah. Stupid people, expressing their opinions. You get the torches, I'll bring the pitchforks.

Re:No static port mapping?

heh. subversion perhaps?

AC.

NAT is 80% of a firewall

[JaCKeL+1.0]

FYI NAT is 80% of a firewall, the other 20% is port and protocol filtering.

Re:NAT is 80% of a firewall

NAT isn't an essential part of a firewall, that's bullshit.

Re:NAT is 80% of a firewall

[JaCKeL+1.0]

Hum, I guess you should also read TCP/IP for dummies. A firewall purpose is tho hide the LAN from the WAN (NAT) and to filter and analyse packet, ports and protocol.

Re:NAT is 80% of a firewall

[LurkerXXX]

Maybe you should learn some networking besided 'dummies' books. All that can be down without NAT. I suggest getting some Orilley books and really learn about networking.

Re:NAT is 80% of a firewall

[mikiN]

I don't know about your book, but in my book a firewall (in the computer network sense) is just a security scheme for controlling and possibly monitoring access from one (part of a) network to another and possibly vice versa.

It makes perfect sense to use a firewall to control access from or to a single host, and in that case you don't really need NAT.

The fact that NAT is included in most firewalls nowadays is just a matter of convenience, not of definition.

Re:NAT is 80% of a firewall

[MCZapf]

When most people here refer to "NAT" they actually mean to refer to "IP Masquarading," i.e. hiding a [private] network behind one [public] IP address. But, that's not the only kind of NAT. You can also have a one-to-one mapping of IP addresses, so all your machines are still addressible. And I'll bet there are other ways to do it too; I'm no expert.

Does anyone here remember the joy of having public IP addresses and having everything just work? None of this 192.168.x.x stuff. None of these problems trying to get connections to work inside and out of your private network.

I think a lot of people forget what a pain NAT is because they've gotten used to it - even to rely on it for "security."

Re:NAT is 80% of a firewall

yes in the early years of my cable modem usage, I just plugged the modem into a hub with the rest of my computers, and they all faitfully pulled down their own public ip's from the dhcp... for free...

establishing connection between to NATed hosts

[datrus]

There is something I don't understand in his announcement: he says it's not feasable to set up a server that acts as a third party to set-up connections between NATed hosts because it would require too much bandwith.
But wouldn't it be possible to build a server that is used just to setup the connection and send the subsequent data directly between the initial hosts, therbey nopt using the server's bandwidth?

David

Re:establishing connection between to NATed hosts

But wouldn't it be possible to build a server that is used just to setup the connection and send the subsequent data directly between the initial hosts, therbey nopt using the server's bandwidth?

YES, it's possible to do exactly what you suggest. I have seen it done with my own eyes.

Re:establishing connection between to NATed hosts

Yes, VoIP companies do it all the time -- they run an H.323 gatekeeper that does not act as a proxy.

Re:establishing connection between to NATed hosts

[hey!]

send the subsequent data directly between the initial hosts

This is crux, isn't it? If A and B are neither NAt'd, there is no problem.

If exactly one of A and B are NAT'd, the NAT'd party connects to a port on the non-NAT'd party, and everything i s good.

If A and B are BOTH NAT'd, then they both probably have non-routable addresses. A has no knowledge of how to get to B and vice versa. The only thing about them that we (should) know is the IP address of the NAT box (assuming there is only one between them and the Internet). Therefore, the NAT boxes would have to be aware of and participate in the protocol.

NAT service developers are not going to bother with a protocol that requires special handling until it reaches critical mass (like RealAudio did some years ago). What this guy is saying is that he can't reach sustainable mass because of NAT boxes. It's catch 22.

Re:establishing connection between to NATed hosts

[OeLeWaPpErKe]

To be entirely fair, because of the way UDP nat has to work (and because you can lie over the originating address of a packet) you can still get them to open a connection.

This is obviously hacking, and should (and is where I am natted) a punishable offence.

Re:natty nat nat

Call in WIPO, we're gonna have a TacoNATting party!

Here's the fix

[mr_beanz]

NAT with direct connectivity... when you need it: NATural IP

Script error

Sometimes firewalls don't work

Re:Script error

[ScrewMaster]

Definitely an argument for not allowing Anonymous COWARDS to post links.

Not surprising.

[Krapangor]

What we see here is the death of all applications and protocols which fail to work with dynamic addressing.
Static addresses are a extremely dangerous threat from security and privacy points of view. Furthermore they make the network non-dynamic and less immersive. People recognized this even in the infancy of the internet, that's why there are static-to-dynamic readdressing scheme like e.g. DNS.
All apps/protocols which don't cooperate with the dynamic addressing paradigm are bound to die in the near future. This might even affect services with only semi-dynamic support.
And that's the real reason why speak freely won't come back to life when ip6 is installed. Not because of an evil, dark ISP conspiracy which wants to enslave customers. But because the dynamics addressing paradigm will still rule the internet and thus speak freely won't work.

Re:Not surprising.

[poptones]

What drugs are you on? If I have a DNS entry then the machine can be tracked down by that entry. It doesn't matter if the entry is static or dynamic, if http://my.local.machine changes IP every five minutes it can still be cracked just as easily as if it were static.

The vulnerability lies in the "one page, one machine" paradigm. If the net operated more like (get ready for the flames) freenet then nobody (not even the RIAA) could be DDOSd into oblivion. A bittorrent sort of structure would ensure popular documents were always widely available, but the downside (of course) is that less popular content might end up lost. Of course, one can also make the argument nothing would really get lost because some archivists would specialize in retaining this info, just like projects like the wayback machine do with physical sites.

Re:Not surprising.

[tftp]

His problem has nothing to do with static vs. dynamic IP addresses. He has LWL server to overcome dynamic addressing, and he had it there for 8 years already.

Sure.

[mindstrm]

I'm referring to the average home user here.

By full nat, no security, I mean this:

After the configuration I mentioned, the user will be able to use multiple computers behind his NAT box, and they will all be able to surf the net using his one public IP address. So, as far as nat goes, it's doing it's job.

By "no security" i mean that, let's say his internal interface is 192.168.1.1/24.... if his nat box receives a packet on the outside interface destined for, say, 192.168.1.3, it will route it to the appropriate box. (The response may be obscured by the nat rules.. depending). An outsider now has complete access, more or less, to the network.

To be more secure, you also need to block all connections not originating inside the network... typically by
- Deny forwarding by default
- Permit forwarding of established connections
- Only allow connections to be established from inside the network.

But.. that's not NAT.. that's just general firewall security stuff...

All I'm trying to say is that nat and security are two independent things, that only look similar at first.. you can have either one without the other.

Re:Sure.

[GiMP]

- Only allow connections to be established from inside the network

In Linux 2.4, this should be default with rp_filter which I believe is automatically enabled when ip_forwarding is enabled. Of course, making sure that rp_filter is enabled explicitly is always a good idea :)

Re:Sure.

[mindstrm]

rp_filter is supposed to be turned on when forwarding is enabled, yes.

reverse path filtering has nothing to do with my example though... and nothing to do with NAT.

ip_forwarding is about routing.... and in routing there is no sense of "inside" or "outside"... no concept of which direction a connection came from.

rp_filter serves to drop packets that look like they were sourced at one interface, but arrived on another one. It's a limited form of spoof protection. It has no knowledge of higher layer protocols like TCP, and certainly no kind of session tracking.

In this case, my source address is perfectly valid, and so is the destination, and no spoofing is involved.

You should never rely on rp_filter for anything.. your firewall rules should take care of that in a more absolute way.

Seems like a semantics game

[garrulous]

Maybe NAT isn't the best means of securing a network but if it stops one person from getting in then it is providing security. NAT by itslef does not reduce exposure. The best example of this would be those who configure nat in a hurry on linux 2.4 systems. No, that sounds like the worst example. Faulting the whole of NAT for its weakest implementation seems like a straw man fallacy. A weak door is still a security measure. Not as secure as a stronger door by definition. But it does keep out the passing strangers who might be tempted to enter if I left it open.

Dullard users

In a world where virtually every NAT appliance will allow portmapping to an inside address, the only reason why consumers are losing control of the Internet is because-- thanks to their sluggish complacency-- they're making that choice as default by inaction. It takes the brains of a snail and about 5 minutes looking at documentation or ubiquitous and thoughtfully provided online help from the appliance itself to figure out portmapping. As long as most people voluntarily emulate mental midgets, projects like SF are doomed.

Re:Dullard users

[kfg]

To be fair the average home user, even the power user, doesn't even know that ports exist, let alone what one is, does and or how to map them.

By the time they get their NAT box working their brains are still trying to figure out what the hell this "Default Gateway" thingy is, or why anyone should care about it.

Absorbing information takes time, and you can't take in related information based on previous information until that previous information has been understood and internalized.

This is why the average MCSE who took that 2 week crash course to pass the test turns out to be clueless by the time he actually shows up for his first day at work. N'cest pa?

In a world where even developers often can't be bothered to learn even the basics of networking I'll cut the home user a little slack. It'll take even the most motivated of them a couple of months to figure out what their box can do, and why it does it.

Most aren't that motivated, nor is there any particular reason to expect them to be so.

KFG

Listen, NAT supporters!

[oddityfds]

This is your fault. How does that make you feel?

You are wrong.

[mindstrm]

The way IPV6 is designed, it will be easier for the ISP to just assign you real address space to all your computers. By "easier", I mean "easier than doing NAT"

IT's not all a scam... the reason ip addresses cost money now, and nat is so common, isn't really becuase ISPs are greedy.. its' because at some point, the technical guys said "Look we don't have enough space for everyone, and it's a pain to manage" so they give out one address per connection... and at some point , after it was determined addresses were sort of scarce, the ISP figures "If there is demand, we can always sell it"

IPV6 will make things easier.. fosho

Re:You are wrong.

[anti-NAT]

Generally correct.

However, it wasn't that they (the IANA / RIR) didn't want to give out addresses, they just needed to stop giving out so many. Their _previous_ allocation methods were going to cause a shortage of IPv4 addresses.

So, they changed their policy from "we'll give you what you want" to "we'll give you what you need, after you show us a plan".

You can still get plenty of IPv4 addresses today, you just have to show that what you are requesting is reasonable, not excessive.

NAT destroying the Internet

[anti-NAT]

Why do people just love NAT ?

Is it a "superiority complex" thing ?

"Ha ha ha, I'm better than the hackers, my addresses are hidden".

or

"Hee hee, my ISP doesn't realise I'm connecting more than one PC" BONK. Yes they do.

Its a pitty these NATters don't realise

• NAT doesn't protect you from email payload viruses.
• NAT doesn't protect you from spy where. You downloaded that when you downloaded the free P2P software. Once inside your NAT box, it can establish more outgoing TCP connections, and download what ever it likes.
• TCP connections are full duplex - data (innocent or malicious) can be downloaded via a TCP connection initiated in the outgoing direction. That is how the WWW works !

Its just breaking the Internet, killing off useful peer to peer applications like speakeasy.

Do people like screwing around with their NAT box configuration everytime they add a new P2P application ? (dumb question on slashdot I suppose).

For those that think it is wonderful, spend some time reading and understanding this RFC

RFC 2993 - Architectural Implications of NAT

Until that point, you don't have an informed opinion about NAT, so you shouldn't express it.

Re:NAT destroying the Internet

[PhoenixFlare]

Why do people just love NAT ?

Is it a "superiority complex" thing ?

No, troll, people love it because it adds security, it's easy to do, and it's already built-in to many consumer devices.

"Hee hee, my ISP doesn't realise I'm connecting more than one PC" BONK. Yes they do.

Hee hee, my ISP (Time Warner, maybe you've heard of the company) doesn't care if I hook up more than one PC. They even asked if I wanted help setting up a home network when I started service.

# NAT doesn't protect you from email payload viruses.
# NAT doesn't protect you from spy where. You downloaded that when you downloaded the free P2P software. Once inside your NAT box, it can establish more outgoing TCP connections, and download what ever it likes.
# TCP connections are full duplex - data (innocent or malicious) can be downloaded via a TCP connection initiated in the outgoing direction. That is how the WWW works !

Nobody sets up NAT to protect against email viruses or spyware, except in whatever fantasy world you're pulling arguments from.

Its just breaking the Internet, killing off useful peer to peer applications like speakeasy.

The author of SpeakEasy apparently failed to notice that 99% of NAT devices out there today can be set up to do port forwarding. I'm using a Linksys 4-port router/switch myself, for example, and if I needed to open a port for something like SpeakEasy, I could have it done in 30 seconds- open up the config page in a browser, put in the external+internal ports, pick which internal IP to forward to, save, and done.

Do people like screwing around with their NAT box configuration everytime they add a new P2P application ? (dumb question on slashdot I suppose).

Sorry, but any of the good p2p apps don't require any screwing around to work, and if they do, it's optional (eMule, for example).

Re:NAT destroying the Internet

[anti-NAT]

Don't waste my time and your's, calling me a troll, until you have read the link I posted. You don't have an informed opinion about NAT, so you shouldn't express it.

Re:NAT destroying the Internet

[PhoenixFlare]

Yes, troll, i've already read that RFC, and it doesn't change my mind, really. The issues it raises can be dealt with rather effectively, and I still see no reason why NAT should have made SpeakFreely's author quit the project.

The author even says this:

" But one operational advantage with firewalls is that they are generally installed into networks with the explicit intent to interfere with traffic flow, so the issues are more likely to be understood or at least looked at if mysterious problems arise. The same issues with NAT devices can sometimes be overlooked since NAT devices are frequently presented as transparent to applications."

Read that a few times if it doesn't sink in. Firewall/NAT boxes are supposed to interfere with traffic flow. But if traffic needs to pass through, it can be allowed quite easily, as I said in the previous comment.

Seems you're the one who shouldn't be expressing your opinion, since you're basing your whole position on an RFC devoted to the problems of NAT.

Re:NAT destroying the Internet

> But if traffic needs to pass through, it can be allowed quite easily,

I'm glad you realize there are limitations to NAT.

Re:NAT destroying the Internet

[sharkey]

spy where

Spy there.

Re:NAT destroying the Internet

[Kevin+DeGraaf]

"Hee hee, my ISP doesn't realise I'm connecting more than one PC" BONK. Yes they do.

And with that, your credibility rating drops to zero. Thanks for playing; have a nice day.

Re:NAT destroying the Internet

I can't figure out how performing NAT provides any security beyond what a firewall that denys incoming connections provides. Perhaps you'd like to enlighten me.

Also, I don't know if you've done it. But emule (like other p2p) works a LOT better with a HIGHID than a LOWID. If you have 2 users, neither of whom can accept incoming connections, there's simply no way to establish a connection between them. Sure, the network still works, but you're cutting off a lot of potential sources.

Re:NAT destroying the Internet

[pHDNgell]

"Hee hee, my ISP doesn't realise I'm connecting more than one PC" BONK. Yes they do.

And with that, your credibility rating drops to zero. Thanks for playing; have a nice day.

Apparently you missed the research that went into this. There are multiple ways. There are some basic packet sniffing mechanisms that can tell how many systems are initiating the connections as well as other methods.

Re:NAT destroying the Internet

[pHDNgell]

No, troll, people love it because it adds security, it's easy to do, and it's already built-in to many consumer devices.

NAT does not in any way add security. The last two sites I've broken into (one was a shell, the next was an entire fvwm setup) were on RFC1918 addresses. I just convinced the system to make a connection back to me.

If you don't want connections coming into your network, don't allow them at the firewall. That's the security. Disallow everything you don't know you need. NAT is not a replacement for a firewall, even if you do end up with a side-effect that appears to be similar.

Re:NAT destroying the Internet

[Jonner]

Counting client hosts behind NAT is quite possible, so I think it's your credibility that has dropped.

Re:NAT destroying the Internet

[PhoenixFlare]

NAT does not in any way add security. The last two sites I've broken into (one was a shell, the next was an entire fvwm setup) were on RFC1918 addresses. I just convinced the system to make a connection back to me.

So you (probably illegaly) broke into two boxes, and want your opinion to be trusted? Hasn't this been a big issue lately? Sorry, but I don't give that sort of activity very much weight.

Re:NAT destroying the Internet

[pHDNgell]

So you (probably illegaly) broke into two boxes, and want your opinion to be trusted? Hasn't this been a big issue lately? Sorry, but I don't give that sort of activity very much weight.

Hey, good assumption.

So, when someone announces a specific technique to work around something that is consider ``a security measure,'' it makes a lot of sense to assume the person was breaking the law, and security measures should only protect from things being used lawfully.

I'm probably missing your point, but if you're worried about security, you might want to consider that someone might actually break the law when circumventing your ``security'' measures.

The irrelevance of your assumptions is working in your favor to negate their incorrectness in this case.

Re:NAT destroying the Internet

[Uerige]

"Hee hee, my ISP doesn't realise I'm connecting more than one PC" BONK. Yes they do.

I know there are ways to find out if there is more than one box initiating connections from a specific link. I don't care. I, like many other people, use NAT because my ISP will cancel my account if they find out I'm using their dialup for my network, not for a single computer. They are not trying too hard to find out, because they don't really want to lose their customers, they only need to do a bit of checking to please the lawyers.

Re:NAT destroying the Internet

[PhoenixFlare]

I didn't say "Oh, you must have broken the law, there's no other way!". When someone says they've broken in somewhere, that usually implies doing it without permission, and what you said pointed to that. All I did was make a guess from what you provided.

If all you did was find a flaw in a security measure, then say so.

I'm probably missing your point, but if you're worried about security, you might want to consider that someone might actually break the law when circumventing your ``security'' measures.

Probably. You might want to consider that security measures can be tested against unlawful techniques without actually breaking into someone's system against their wishes.


The irrelevance of your assumptions is working in your favor to negate their incorrectness in this case.

Whatever. You don't exactly seem to be a paragon of non-assumptiveness and detail either.

Re:NAT destroying the Internet

[pHDNgell]

When someone says they've broken in somewhere, that usually implies doing it without permission

Perhaps it does for you. I've had to break into my house and cars a few times as well. Don't tell me I did that.

If all you did was find a flaw in a security measure, then say so.

OK, I found a flaw in assuming NAT assists at all in security. I'm sure that proves my point quite well.

Probably. You might want to consider that security measures can be tested against unlawful techniques without actually breaking into someone's system against their wishes.

Again, you are incorrect in assuming that I, as a system administrator (at the time) wasn't responsible in proving the lack of security at that location.

It's still an irrelevant that is still distracting from the original point, though. NAT does not enhance security.

Re:NAT destroying the Internet

Hah, who's the troll here? Did you really read the RFC, or just the introduction?

Over the 6-year period since RFC-1631, the experience base has grown, further exposing concerns raised by the original authors. NAT breaks a fundamental assumption of the Internet design: the endpoints are in control. Another design principle, 'keep-it-simple' is being overlooked as more features are added to the network to work around the complications created by NATs. In the end, overall flexibility and manageability are lowered, and support costs go up to deal with the problems introduced.

Re:NAT destroying the Internet

[aminorex]

If you think that *any* security measure defends
against *all* attacks, you need to reconsider.
A security meansure is something that improves the
security of a system. NAT does that.

Re:NAT destroying the Internet

[Gojira+Shipi-Taro]

So a black-holed NAT router doesn't prevent port scans on machines inside the LAN from machines outside the firewall? that's news to me.

Preventing port scans might not be bullet proof security, but it beats leaving machines hanging in the breeze for anyone to poke at.

Sorry, I'll stick with NAT + sane security practices. I'm not interested in having someone who brags about breaking into systems poking at my machines. They're not there to satisfy your curiosity, they're my property. If I didn't invite you to probe them, you're specifically prohibited from doing so.

Re:NAT destroying the Internet

[pHDNgell]

So a black-holed NAT router doesn't prevent port scans on machines inside the LAN from machines outside the firewall?

A misconfigured router can do the same thing, but it's still not the right tool for the job you're trying to do.

Any basic firewall is supposed to block that kind of stuff by default. If it also does NAT, that's not the reason it does NAT.

Re:NAT destroying the Internet

[evilviper]

NAT router doesn't prevent port scans on machines inside the LAN from machines outside the firewall? that's news to me.

No, it doesn't. It will prevent beginners from making connection to your internal network, but that's about all. There are NUMEROUS ways to circumvent a NAT... You need packet-filtering in-place to prevent your LAN machines from reciving unwanted connections.

might not be bullet proof security

It's not security at all, it's obsecurity. The only thing it's going to stop, are those that don't realize a NAT is there, or don't yet know the ways to get around a NAT.

Re:NAT destroying the Internet

[Kevin+DeGraaf]

Don't be a moron.

If you had actually read the article to which you linked, you would discover that the "technique" presented for determining the number of hosts behind a NAT box is incredibly imprecise and very easy to fool.

The article is filled with hedging, excuses, and admissions that the technique is flawed.

The technique relies on the IP header identification field being chosen by a simple incrementing function, an assumption that was bad to begin with, and will only become worse as IP stack writers use more complex functions to generate IPid fields.

Indeed, as many of the comments to that article indicated, Linux and the BSDs (for example) already support the use of PRNG's for this function, thus utterly destroying the utility of this technique. If ISPs were stupid enough to begin using this technique and hassling users over it, you can damn well bet that ALL implementations of NAT would randomize the IPid field lickety-split.

If my reasonable arguments haven't convinced you, perhaps the author of the paper can. I quote from page 5: "A properly designed NAT can block information leakage."

Now whose credibility has been destroyed, punk?

Re:NAT destroying the Internet

[Kevin+DeGraaf]

No, I did not miss the article. That article described one way (assuming that NAT mechanisms sequentially increment the IPid field and using heuristics based on that), and that said method is very imprecise, error-prone, and easy to fool.

Re:NAT destroying the Internet

[Jonner]

Good point. I'm now checking the "hide number of private hosts" option on my Linksys residential gateway. They'll never find me out now! Thanks Kevin, you just saved me a bundle.

Re:Too long, didn't read

I'll be in the paddock drinking shitty whiskey and winning superfectas.

Re:NAT & fresh windows installs

[toddestan]

The best part about NAT is that I can hook up a freshly reinstalled Windows computer to it with no firewalls like Zonealarm on it, it picks up an IP and is hooked up to the internet immediately. And I don't have to worry about it instantly getting 0wn3d by MSBlaster, etc. Giving me plenty of time to download service packs, patches, drivers, software, etc. I suppose it can be done with another computer and CD-Rs, but this way is so much easier.

Also, I can have file shares open between different computers on the NATed (natted? NATted?) network, allowing for easy sharing of files. If each computer was hooked directly to the internet there would be no way I'd have ports 135-139 open for Windows file shares!

Re:Too long, didn't read

TEN WIN ON THE NINE HORSE!!!!

speakfreely relay server meets bitorrent

[gilko]

i just had a neat idea what if you combined the function of the speak freely relay server, to get around the NAT issue, with bit torrent, to get around the bandwidth issue.

Re:speakfreely relay server meets bitorrent

[JediTrainer]

i just had a neat idea what if you combined the function of the speak freely relay server, to get around the NAT issue, with bit torrent, to get around the bandwidth issue.

Don't think that'd work. Bittorrent is meant to distribute files. If you're trying to stream audio, the packets need to arrive in sequential order. With BT, the machines you're connected to send pieces of the file (whatever they have), not necessarily in any particular order that makes sense for live audio.

Re:speakfreely relay server meets bitorrent

[gilko]

okay maybe the analogy was the best but use your imagination. i think the idea of distributed bits of audio stream that can be reconstituted is still good.

Re:speakfreely relay server meets bitorrent

been done, it's called Skype

Wrong.

[SiMac]

Saying "NAT as a security tool is the network equivalent of Security through Obscurity, and is just as flawed" is like saying that a key is not a security tool in a house with windows, since I can break the windows to get in.

NAT makes an attack on the inside of the network substantial more difficult. It doesn't prevent an attack through email, but it's only one part of a proper consumer security toolkit, which should include some form of antivirus software as well. It does prevent MSBlaster, and not just through obscurity, but because it's physically impossible to attack the vulnerability.

In addition, a system on a network with NAT can indeed act as a server. It just requires the user to be aware that he/she is setting one up.

AUP

[yerricde]

Each and every firewall/nat box I have worked with supports reverse port mapping, DMZ, or uPnP.

This doesn't help when your ISP doesn't provide an affordable Internet access plan that forwards incoming connections to your network. Switching ISPs is not generally an affordable option either unless you're willing to take a 25-fold reduction in download throughput.

You really don't know what you are talking about

[anti-NAT]

He is completely correct, you are completely incorrect.

RFC 2993 - Architectural Implications of NAT

Yup. I will.

[mindstrm]

What you are describing is typical of hardware NAT firewalls like linksys, dlink, etc, ,or most PROPERLY configured firewall/NAT gateways...

But in the example I gave, there is no filtering enabled on incoming/outgoing connections.. the only thing being done (other than routing) is NAT...

and NAT has nothing to do with blocking connections... which was the original point.

If you take a linux box, turn on forwarding, and set up SNAT (or masquerade) in prerouting.. you have EVERYTHING you need to share one internet IP address among many computers using a private local network..... and NOTHING you need to enforce any kind of security.

So, yes, I agree that if you control your nat router, you can set it up so that the ISP cannot initiate inbound TCP.... but that is not related to NAT.

You THINK it's related to NAT, because you always see the two set up together.. but they are not related.

Re:Yup. I will.

[Thomas+Charron]

Actually, you are ASSUMING as your basis that the NAT rules will just blindly let any trafic in that doesnt meet any of it's NAT rules.

And as I said before, this would only work if you don't support any sort of netmasks.

The packets would, even if they are somehow managed to magically manage to get routed IN from a netmask the interface wouldnt support, just get routed BACK out to the NAT boxs default host, as it doesnt match ANY of the netmask rules for transmital to the internal address..

Re:Yup. I will.

You must be the troll with the lowest Slashdot user id. NAT rules and netmasks won't even be touched if a packet for your internal network arrives at the outer interface. The only relevant tables in this case are routes and firewall rules.

Re:What's NAT have to do with addresses per machin

[yerricde]

if you have many addresses available

One major reason that many-to-one NAT is so common is that most single-family residential Internet access customers don't "have many addresses available."

Much Ado About Nothing

[NDPTAL85]

This guy is making it sound like the internet is somehow changed for the worse simply because changing times have made his old software irrelevant.

The net is still free, you can still talk to whoever you want to talk to. No need for Chicken Little here. Heard of blogs? ICQ? Instant messaging? IRC?

Next thing you know he'll be complaining that the net is no longer free since no one uses gopher or AOL's TurboBrowser (from version 2.6) or Hotline anymore.

Re:Much Ado About Nothing

[guardian-ct]

You're still missing something. If nearly everyone is behind a NAT, and 25% of users don't know what a port is, or why you'd need to forward one... Any attempt at person to person connection to that 25% of users will require a centralized server with a known (not necessarily static) address. Multiple P2P connections without NAT would not require a server. Servers and good fast rack space aren't free. If you want more than a very few people to get your Blogs, ICQ, IM, and IRC, they all require a server somewhere with a nonNAT IP.

Did you happen to read anything else Jon W wrote? "Digital Imprimatur"? How about the "Unicard" paper? Ever used AutoCAD?

I don't think he'd complain about gopher, turbobrowser, or hotline not being used any more. From what I can see, those weren't peer-to-peer either, though I've never seen Turbobrowser or Hotline in action.

Re:Much Ado About Nothing

[NDPTAL85]

What you and he are forgetting is that with or without NAT most internet users still don't know what a port is. This is GEEK stuff. Not regular people stuff. If a regular person has something he/she wants to make available to the entire world then they can setup a home/web page. Thats "good enough" for 99% of their purposes.

He is correct about NAT

[anti-NAT]

RFC 2993 - Architectural Implications of NAT

I think you misread.

[mindstrm]

I'm not faulting NAT whatsoever, NAT is good, NAT is great..

but NAT is not security.

Perhaps my point is too subtle... let me try to put it another way.

All the security features you think you get by using NAT are actually not related to NAT at all.. they just happen to be configured along side it, and nobody ever really thinks about it. All of them are available, and work equally well, without NAT in the picture. NAT works equally well without any security features.

My point is not that "NAT devices are insecure" or that NAT is evil.. but that implying that NAT == sequrity in any way, shape, or fashion, is wrong.

Please don't use NAT!

[nikwa]

From http://www.nanog.org/mtg-0306/pdf/doyle.ppt (search google for above URL for conversion to HTML):
NAT Causes Problems
- Breaks globally unique address model
- Breaks address stability
- Breaks always-on model
- Breaks peer-to-peer model
- Breaks some applications
- Breaks some security protocols
- Breaks some QoS functions
- Introduces a false sense of security
- Introduces hidden costs
--- IPv6 = plentiful, global addresses = no NAT

NAT is one of the ugliest and most widespread Nasty Hacks in the history if the Interweb.

Re:Please don't use NAT!

[stratjakt]

This message brought to you by the League of People Who Stand To Make Money Deploying IPv6!

NAT is here to stay, adapt or die.

Who cares about some models of the 'net sketched up by folks a decade or two ago? They're broken, so what? Einstein broke Newton's models too. Time for new models.

Re:Please don't use NAT!

Hah. When/if IPV6 becomes available to the all of us (instead of just the few who use it now) you'll probably still use NAT. Enjoy your life in hell.

Re:Please don't use NAT!

[unshaven23]

Some of your arguments deserve a comment

- Breaks globally unique address model

Excuse me? The Internet doesn't know I have this address. The Internet doesn't need to know. There are ranges reserved for private internal use, and if you use Internet addressing space in your LAN you should be spanked.

- Breaks address stability

Please explain this... Do you mean that if more than 10 million people use NAT that they will cause internet to come down on itself?

- Breaks some applications

True, but these applications are mostly of bad design. Is it a matter of fixing the application or implementing a workaround in NAT?

- Breaks some security protocols

Please explain this. If you don't want people to access the Internet, don't NAT them.

- Introduces a false sense of security

That's why you _ALWAYS_ need a firewall, anti-virus software, and keep an eye out on what exactly you're installing.

- Introduces hidden costs

Again, please elaborate...

NAT is one of the ugliest and most widespread Nasty Hacks in the history if the Interweb.

Wow, the "Interweb"... Last time I checked it was still called the InterNET. While I'm a fan of IPv6 being deployed to help the growth of Internet, NAT is a great solution to a real problem. Reading a couple of slides from a powerpoint presentation and not being able to explain the problems except for the bullet-items will not help you in the discussion.

I try to avoid powerpoint presentations for exactly that reason. Bullet-item lists filled with complicated sounding words to impress spectators generally don't help solve the problem, but help marketoids sell their products, and make the lives of those who have to implement it a nightmare because the material is too thin to be meaningful.

Your post was nearly as bad as answering the question "Why is NAT bad?" with "Because... and that's why... Don't ever ask it again."

Re:Please don't use NAT!

[unshaven23]

Hah. When/if IPV6 becomes available to the all of us (instead of just the few who use it now)

Hah, when that book of grammar hits you in the face repetitively, I'll be sure to compile my kernel with IPv6 and roll out my IPv6 box in a matter of a couple of hours. But until then, I'll stick to NAT.

Mangle ttl on gateway...

"Hee hee, my ISP doesn't realise I'm connecting more than one PC" BONK. Yes they do.

If you use packet mangling on the ttl of outgoing
packets on the gateway and set them *all* to 255, it's actually pretty hard for them to tell...

-L.

I know I enjoy the added security of a NATed firew

[stratjakt]

There's no added security to NAT. A nat box that blocks incoming connections is no more secure than a router that blocks incoming connections.

Ipchains used to let udp packets addressed to your internal net pass through untouched. All a hacker need do is guess your internal address space (all signs point to 192.168.0.*) and he could bombard your innards with all kinds of silly shit. And most exploits are emailed/downloaded trojans, not viruses in the old sense.

What NAT is, is convenient. I have my router box equipped with NAT and DHCP. I can bring home a laptop or plug something in, and presto! I'm online. No calling ISP and asking for another IP, no hoops to jump through.

I could pay for extra IPs from my ISP, but why? I dont serve anything from home, and neither do most home and small business users - thats what colos are for.

NAT is just way too convienient and sensible. It's like just plugging a phone into an extension, vs running it's own line.

And it works 99.9% of the time for me. Transparent proxies (ya mofo i violate RFCs by even transparently proxying http, i'm fucking crazy man, crazy!!) fill the gap for the 0.999%, leaving 0.001% of stuff a pain in the ass, and I can avoid that pain in the ass stuff since it's all warez clients, err p2p applications.

So, I don't mourn the loss of SpeakFree. Open source needs to be able to adapt to survive, too. NAT is here to stay.

GnomeMeeting

[tungwaiyip]

Isn't GnomeMeeting do the same thing and more? I think it supports NAT too.

Should have googled....

[harlows_monkeys]

He should have Googled before giving up

Re:Should have googled....

[moncyb]

I don't understand. Where does that paper explain how to connect when both computers are behind NATs without using a server?

Re:Should have googled....

[harlows_monkeys]

I don't understand. Where does that paper explain how to connect when both computers are behind NATs without using a server?

According to the article by the SpeakFreely author, it doesn't seem there would be a problem with using a server to set up connections. He just can't handle the bandwidth of having the voice traffic go through the server.

Re:Should have googled....

[Webmonger]

If the connection is set up by the server, the voice traffic must be relayed by the server. As the site notes: "two people behind different NATs can't open up connections to each other in the usual way - ever!" That means that any data they transmit to each other MUST pass through a third non-NATed box.

Re:Should have googled....

[cyt0plas]

No, it doesn't. The article does say "in the usual way", but it is _not_ proxying it. The computers use a 3rd party server to find their real IPs, then send an outbound packet to each other. Because they have both initiated outbount packets, they can then talk to each other. RTFA.

Re:Should have googled....

No, you read it wrong. They can't open up connections to each other in the usual way. Then he goes on to describe an unusual way which does work. The third party server is only needed to query addresses. Actual data is never transferred through that server.

To summarize the technique, it relies on the proposition that if you send a packet through a NAT box, the NAT box will then open up the return port for packets that come from the destination you sent your packet to. What the third party server here is doing is telling you what address to send a packet to, which causes your NAT to open up the return port. Since the other guy is doing the same thing, the net result is that there is a direct line of communication opened between your two NAT routers, with the only traffic to a third party server being a simple address query.

At the end of the article, he lists several NAT solutions which are known to work this way. Not all do.

It should further be noted that this only works for UDP, not TCP! TCP relies on an connection being established, but UDP does not. However, SpeakFreely, as a streaming protocol, is most likely based on UDP, and so this technique would work.

Re:Should have googled....

[Webmonger]

What kind of connection? TCP/IP won't let you do it that way, and anything else would require special software on the NAT box. Their real IPs are not globally routable, so it won't work unless they're on the same LAN.

Re:Should have googled....

UDP connections. It works with most NAT boxes, because most look for outgoing UDP packets, and route packets from the host to which the original was sent that arrive on the port they were sent from back to the machine inside the NAT that sent them originally. A third party server is used to find the addresses and ports to use, but not to proxy data.

The automatic forwarding of UDP packets based on ports used by outgoing packets is exactly what allows UDP based client-server games to work from behind NAT routers. Because all of the NAT box makers want games to work for their customers without hassle, this feature is nearly universal in off-the-shelf "broadband routers". This is just using a third party server to provide address and ports to "trick" the NATs into opening those ports between two machines that are both using NAT.

It's a fairly well-known technique for peer-to-peer games, but apparently not so well known otherwise!

Re:Should have googled....

[moncyb]

Yes, it's true he said it would be too expensive for his server if he tried to relay NAT users. But much of his rant was also about how it makes internet users into consumers and are dependant upon centralized servers. If you read the rant linked in the EOL announcement, it gives the heart of his reasoning and why he wrote SpeakFreely in the first place. (no, I didn't read it all either, it's huge!)

Over the last two years I have become deeply and increasingly pessimistic about the future of liberty and freedom of speech, particularly in regard to the Internet. This a complete reversal of the almost unbounded optimism I felt during the 1994-1999 period when public access to the Internet burgeoned and innovative new forms of communication appeared in rapid succession. In that epoch I was firmly convinced that universal access to the Internet would provide a countervailing force against the centralisation and concentration in government and the mass media which act to constrain freedom of expression and unrestricted access to information. Further, the Internet, properly used, could actually roll back government and corporate encroachment on individual freedom by allowing information to flow past the barriers erected by totalitarian or authoritarian governments and around the gatekeepers of the mainstream media.

So convinced was I of the potential of the Internet as a means of global unregulated person-to-person communication that I spent the better part of three years developing Speak Freely for Unix and Windows, a free (public domain) Internet telephone with military-grade encryption. Why did I do it? Because I believed that a world in which anybody with Internet access could talk to anybody else so equipped in total privacy and at a fraction of the cost of a telephone call would be a better place to live than a world without such communication.

The rest seems to discuss how his dreams were/will be squashed, but IMO, he appears to still have his rose colored glasses on.

Re:Should have googled....

[evilviper]

The computers use a 3rd party server to find their real IPs, then send an outbound packet to each other. Because they have both initiated outbount packets, they can then talk to each other.

That would ALMOST work...

The problem being that, my own firewall (and many others I'm sure) is set to return a reset (rst) when it recieves an unrequested packet. That means, when one system sends a UDP packet to my firewall, the instant my firewall recieves it, it will send a response to the other firewall, closing the connection. Obviously, if both firewalls do this, then there is no way to open the connection, unless you can count on network failures, or something else that allows you to guarantee that the first packet won't get through.

Additionally, the same could probably be accomplished with TCP, if the two could communicate before-hand to keep their sequence-numbers in-sync, assuming the firewall doesn't modify those itself.

Re:Should have googled....

There is no connection, we're talking UDP. There's nothing to reset. Furthermore, the packet WILL be "requested" in the only sense that matters, since you will also have sent a packet out the the other guy's address/port. Both ends send packets repeatedly until they get a response (or give up), so even if your firewall bounces the first one because you haven't sent your packet yet (which is very likely), it won't bounce the second one.

It won't work for TCP because attempting to establish a connection does not make routers automatically accept incoming connections. It works for UDP precisely because it is connectionless. The act of sending a packet is the only thing the router has to go on to allow incoming packets on the same port you were sending from.

This is how peer-to-peer games work on the internet. Virtually all RTS games use this technique nowadays, for example. It works, and works well, and has worked for many years!

Re:Should have googled....

[evilviper]

You obviously don't have a great deal of knowledge about networking, and I'm not going to try to teach you, so I'm just going to quickly point out the flaws in your argument.

There is no connection, we're talking UDP. There's nothing to reset.

No, we aren't talking about UDP, we are talking about a firewall. Stateful firewalls *do* keep track of connections, and close connections (remove state information) when they recieve a connection reset.

Furthermore, the packet WILL be "requested" in the only sense that matters, since you will also have sent a packet out the the other guy's address/port.

No, the packet WONT be requested, because both sides can't be guarateed to send out the packets at exactly the same time. That means, one request is sent before the other, and one firewall will send a reset to the other (assuming they are configured to do so).

even if your firewall bounces the first one because you haven't sent your packet yet (which is very likely), it won't bounce the second one.

Yes, if both are designed to send a reset, one will open a connection, get a reset, and close the connection. This will happen as many times as you send the packet, unless you can either make one packet fail to get through, or you can send them both at EXACTLY the same time.

It won't work for TCP because attempting to establish a connection does not make routers automatically accept incoming connections.

Completely wrong. The only thing that is really different between UDP and TCP (as far as the firewall is concerned) is that TCP has a sequence number that can be verified.

It works for UDP precisely because it is connectionless.

Connectionless means almost nothing to a firewall.

It works, and works well, and has worked for many years!

That's just fine. Spoofing source addresses, and many other things will work on much of the internet, but still won't work through my firewall. That's the difference between secure, and crappy.

Why should every device be accesible?

[fermion]

I have to disagree that not having every computer connected directly to 'The Internet' is a bad thing. The first definition from google for the internet, taken from the american heritage dictionary, is
An interconnected system of networks that connects computers around the world via the TCP/IP protocol..

This means that the Internet is made up of networks which may themselves may be made up of networks, etc. These networks use a common protocol. Most would say that not every device on the network, or even every sub network on the network has to be connected to the Internet. It is quite arguable that there are benefits, both personal and for the commons, to not have every device connected to the Internet.

What is for sure is that for the Internet to run, everyone who uses it must contribute to it's well being. There has to be enough devices connected directly to the Intent to process and forward all the packets in an efficient and timely manner. I personally pay a number of services that manage such activity on my behalf. My personal machines, which are not in the primary bussiness of routing packets, are behind a NAT, which is.

Being behind a NAT allows me to manage my network with less effect on the rest of the community. There are still many security issues, and i can still flood others if I get infected, but it is a first step. I would argue that assuming every computer on every network to be directly addressable from every other computer on the every other network might not be the best design decision. It certainly fits in well with the TelCo desire to sell at least one IP per device, as they tried to do in the past with telephones, but other than that I do not see the benifit.

Re:Why should every device be accesible?

[pHDNgell]

I agree that not every system should be able to access, or be accessble from the Internet. However, NAT is not the solution to this, your firewall is. Ingress and egress filtering should be used. For example, my network has egress filtering on port 80. If you want to go to a web page, you have to go through a proxy.

Re:Why should every device be accesible?

[aminorex]

> ...should...

Why? Bald assertions alone carry little weight.

Re:Why should every device be accesible?

[pHDNgell]

> ...should...

Why? Bald assertions alone carry little weight.

Did you seriously just reply to a single word in my entire post without any sort of context?

The ``should'' was a recommendation. The topic of the parent post was regarding every host on every network being accessible. I certainly have hosts on all of my networks that don't need internet access. If a machine requires an application proxy to access a particular service on the Internet, it's a lot easier to control and track what's going on.

Re:Why should every device be accesible?

[evilviper]

Why?

I believe the point was that, doing so will give you the same advantages of NAT, without the disadvantages.

Thanks to things like stateful packet filtering, you can have a publicly-routable IP address, while not allowing anyone to connect to it (just like NAT). The difference being that, each system will have it's own IP address, preventing the problems that come with NAT.

There you go, all the benefits, and none of the disadvantages.

Read more carefully.

[mindstrm]

I am in no way trolling.
I am also in no way implying that "NAT is bad" or "NAT devices are insecure".

The article was about NAT... and NAT is not in any way related to firewalling, other than by conveniently often being handled by the same device. So a mention that "Nat won't go away becaues I like the security of being behind my natted firewall" is totally inaccurate. Yes, I got the firewall part.. but what's NAT got to do with that? Nothing, it doesn't need to be there.

Can I name any appliances that don't do firewalling as well as NAT? Not offhand, nope.. though I can mention a few configurations of cisco routers or linux boxes that can easily accomplish NAT with no firewalling (and have used both with good reason)

I understand the concepts quite well, thanks.
A single snat rule works one way... yes, correct.

So, what happens when I send, let's say, a ping... to your IP address (192.168.1.3) behind your little linux NAT box that ONLY has an SNAT rule, and no other filtering enabled. It has forwarding enabled, and SNAT.. it's a pure NAT box.

Let's pretend for a moment I have a buddy at the ISP, and I've had them add a route to your location for that network... so routing isn't an issue.

Do you think your nat box is going to reject the packet I'm sending? It's not.. it's going to forward it right to your workstation.. it has the proper address.. and there are no rules in place to prevent it.
If it DOES reject it, in a typical linux nat/firewall setup, it is because of a rule on the FORWARD table, usually set to not allow things to initiate from outside.. but then, that has nothign to do with nat, does it....

Will the SNAT rule cause issues with the return packets? Yes... but the fact is, I just routed traffic to your machine.. and that's all it takes to send several of the latest worms.. a single UDP datagram.

Nobody is saying there is one true firewall, or one true way to set it up. in fact I'm not saying anything at all about wha you SHOULD do for security.. only that the feature we call NAT is not a security feature, but a convenience one. All the cool pocket firewalls we have will be just as useful with IPV6 WITHOUT NAT... the ONLY purpose of NAT is to translate addresses.. and all the other percieved security features of NAT are actually firewalling features that could equally be had without NAT.

Re:Read more carefully.

[AftanGustur]

The article was about NAT... and NAT is not in any way related to firewalling, other than by conveniently often being handled by the same device.

Uhh, read everything again and put things in context, NAT is a service, and in this context of speak-freely-peer-to-peer on the internet it is almost *always* provided by firewalls. That is why the comment reads as it does: I enjoy the added security of a NATed firewall, and without a really good reason, I won't be quick to give it up.
"it" is likely a reference to the firewall. Get it ?

Let's pretend for a moment I have a buddy at the ISP, and I've had them add a route to your location for that network... so routing isn't an issue.

Having someone add a route for a private network (as defined in RFC-1918) won't do you any good unless you have buddies on every hop between you and your target. Otherwise, you would have to be on-site at the ISP, and then you would need no route change..

Your claim was:
That's nat, full, 100% working nat.
With absolutely no security.

And then you go on describing some James-Bond-style scenario that demonstrates a vulnerability against one type of threats.

I repeat my claim that the single NAT rule is enough for 99% of people out there..

Re:Read more carefully.

Another hypothetical option is source routing. Don't know if anyone doesn't filter it, but with source routing, no cooperation from intermediate hops is required.

Re:Read more carefully.

I was standing in my lunch room a few weeks ago. I saw some recomendation letters hanging on the wall. The marketing guy in charge of selling my product walked in I said 'hey good work how did you get these letters out of em'. He did the most extrodary thing. He told me how. He said 'oh not too hard. (then as if talking to a customer) hey how much to get a letter out of you.' He opened up his wallet and started laying out 20's on the table.

How many 20's would it take to get at a router in some backroom? James bond HA. Enough federal reserve notes can open MANY doors. If you think this is james bond you are naive.

Also guess what what if I am on the same subnet? Hmm guess what it will not EVEN GET ROUTED. It will get dropped right on your machine just like a good network should. How big is your isp's subnet?

Dude, if all you have is NAT your computer has probably already been rooted. Do ALL your neighbors run linux and in a secure way? Do you run windows? Are all your neigbhors up on their patches?

I run in depth.
First level is raw ISP. I consider this to be the internet and unsecure.
Second level is my router. I own the passwords. This is my box. It runs NAT. This lets me pick odd network ranges. This is a very simplistic security. It would not take much coding to get around it.
Third level. I drop all incoming packets. This is firewall stuff. This lets me decided what trafic comes in and goes out.
Fourth level. I run ZoneAlarm on each computer. I still do not even trust my OWN computers. Logging in my linux stuff. Logging on my windows stuff. Some say ZoneAlarm is crap. Hell its even spyware. But it does its job ok. I probably will eventually replace it with something else that does the same thing.

My point is do not trust any layer. They can ALL be compromised in different ways.

Sure a door that says keep out keeps most people out. But a deadbolt keeps even more people out. But a hungry doberman on the other side of the door makes sure you do not want in the room.

Re:Read more carefully.

[rocca]

Let's pretend for a moment I have a buddy at the ISP, and I've had them add a route to your location for that network... so routing isn't an issue. Do you think your nat box is going to reject the packet I'm sending? It's not.. it's going to forward it right to your workstation.. it has the proper address.. and there are no rules in place to prevent it. If it DOES reject it, in a typical linux nat/firewall setup, it is because of a rule on the FORWARD table, usually set to not allow things to initiate from outside.. but then, that has nothign to do with nat, does it....

If the device doesn't reject it then it's a poor excuse for a NAT implementation. Any router should not accept a packet coming on the WAN interface with a source address in the LAN subnet.

Re:Read more carefully.

(-1, stupid). Come on, think before you write.

Nat != IP Space reduction generaly

[silas_moeckel]

Actualy NAT does little to nothing to reduce the IP space needed on most modern installations where most computers are participating on the internet. NAT just remapes IP's on a 1 to 1 basis. Just like it's name nates Network Address Translation.

PAT reduced used IP addresses by mapping ports rather than IP's.

NAT especialy is no substitute of good security as incomming connections are allowed by default. This method breaks less protcals than PAT.

Now as far as NAT beign a good or bad thing I'm all for NAT and PAT. IPv6 fixes the perceived address space issue (there isn't an address space issue there is an address cost issue IMHO) While fixing space issues it makes address near imposible to remember and not everything participates in DNS nor should it. It also required multicast to work thats an administrative nightmare along with a plethera of secuirty and billing issues. Think of Bittorrent when a single DSL user can send 128 kb a sec out to every peer of there ISP on a statement ISP thats a lot of traffic. IPv6 also does not address routing table complexity and thus memory requirements.

Now your 50 buck a pop little DSL AP generaly has the settings correct by default with an easy way to make a DMZ host thats entirly unprotected.

Ipv6 may be the furture but if we realy want to make things work better look at replacing BGPv4 while your at it. Something that allows link redundancy along with carrier redundancy while perserving state is needed. You should be able to have a cable modem and a DSL line and combine the bandwith. Right now you have to do that through NAT and proxies and it works well for outgoing sessions allthough it's failover is stateless so a single line going down drops a portion of your connections.

Re:Nat != IP Space reduction generaly

NAT is very frequently used for PAT and NAT (in the strict sense), simply because it is trivially possible to treat more than the 4 IP octets as address. "a.a.a.a:pp" is a 6 byte "Network Address" which NAT translates into another 6 byte address.

Re:Yeah that's right, SF and NAT don't work togeth

[D4MO]

Wierd, I keep getting sitefinder...

Open Alternatives?

[nurb432]

Ok, so what is left for us to use for this?

Re:Open Alternatives?

[plover]

Speak Freely is still around. The source is public domain. Feel free to keep using it forever; John just said you won't be be downloading it from fourmilab.ch after next Jan 15th.

His announcement was just a bit of drama to post a loud "you idiots are f'ing up the internet with NAT and firewalls!" I see this mostly as him sacrificing Speak Freely publically so hopefully people will think it's worth it to preserve some bit of p2p. I doubt it will do much good, but hey, if he's looking for an out, that's his prerogative too.

Here Here

[silas_moeckel]

You mean somebody else saw through the veiled hatred of NAT in that RFC?

Lets look at the issues of NAT (PAT in cisco parlience as NAT is entrily different) as compared to a normal statefull non inspecting firewall with no administrative restrictions they each:

Dissallow incomming IP sessions unless specified.

Function as a single point of failure.

Require a singe point of state.

Persoanly I think EVERYTHING should be firewalled but that dosent fit with the academic modle. Now those three big ugly issues the only thing that NAT adds on is address and possibly port tranlation gee thats what it's supposed to do. The state and sinle point issues can be and are fixed by more advanced firewalls and NAT boxes that cross communicate.

Ditto in Finland..

[TeknoHog]

..at least with Sonera ADSL and cable. They give you five IP addresses for no extra cost.

Not that simple.

[TheLink]

"No, your addresses are perfectly routable, just the internet at large does not route them by agreement. Your ISP could easily configure it's routers to get traffic in to your network on those addresses."

Of course the ISP gets traffic in to your network even with NAT but that's how you get to surf the web. :)

"That's nat, full, 100% working nat.
With absolutely no security."

Seriously tho, while your ISP can easily subvert data and existing connections (and so can Verisign etc), it is nontrivial for your ISP to make new inbound connections into your network through a NAT device.

If you know how typical NATs work, it isn't that easy. (BTW Cisco calls them PATs because Cisco used to have inferior NAT solutions that didn't support IP sharing or overloading as they called it).

In the simplest case that supports multiple NAT'ed hosts, a NAT device builds a table based on outbound packets: src address, src port, dest address, dest port -> new src address, new src port, dest address, dest port.

You need a new source port because two source hosts could use the same source port.

Reply packets that match are then translated back.

Packets that don't match can't go through the device because the device just doesn't know where they should go.

Unless the device is terribly buggy you should be reasonably safe from inbound connections.

In fact with NAT, in order to allow inbound connections you need to add more code.

So with NAT having inbound connections is harder, and that is a good thing.

Coz there are some tricks you can play with IP fragments, where you get a fragment to overlap the original header on a vulnerable operating system. But if you have a reasonably recent O/S this shouldn't work anymore even on Windows.

Simple example of how it works, an inbound packet fragment goes through a firewall with an legit destination address and port and is stored in a packet buffer on the destination host. Subsequent fragments are sent and allowed through by the firewall and they overwrite/overlap the original destination port on the packet buffer, so the destination host actually ends up with a packet that connects to a service that should have been blocked by the firewall.

If you don't allow inbound connections and only allow outbound, such subversion is a lot harder, someone needs to be able to see your outbound packets as they head towards to the real destination, in order to construct suitable "inbound" packets and fragments.

Re:Not that simple.

[Malor]

What he's saying, and perhaps isn't doing a very good job, is that NAT and firewalling are separate entities.

Most consumer-level NAT devices use 192.168.0.0 or 1.0/24 as their NAT network. What mindstrm is trying to say is that your provider could easily add a route for 192.168.0.0/24 aimed at your DSL router. A machine doing NAT-only translation will happily forward packets addressed directly to its "private" network. It will do NAT if the rules are triggered, but if they aren't, it *still routes the packets*, so Joe Evil Employee can access your machines freely. He can ping, nmap, and hack remotely any machine he likes in your "private" network. To him, you look exactly the same as any other un-firewalled machine in the world. There's nothing magical about 192.168.0.0; it's set aside for private use, and is used in probably hundreds of thousands of installations, but if the ISP routes to your modem, he's temporarily saying "ok, you are the real 192.168.0.0 as far as I'm concerned"... and he's in.

In real life, of course, that mostly won't work, because NAT devices *also* do firewalling, and will refuse to route the inbound packets. What mindstrm is trying to point out is that it is really the firewalling that gives you the security, not the NAT.

NAT does protect some against people coming from the "rest of world", those who don't have access to all the routers between their machine and yours. But firewalling provides security that's both a lot better and a lot more flexible.

If NAT goes away, it won't cause any appreciable security loss.

Re:Not that simple.

Incorrect. Your NAT device won't route them because it is not a routing device, or expressed another way it is not using a routing table. It is an address translation table.

Re:Not that simple.

[Malor]

It will if it's based on Linux. NAT is part of the routing process. You can't do NAT without routing, but doing NAT in *no way* stops regular routing from working.

In other words, if I say "translate 192.168.0.10 to address 1.2.3.4", and then I get packets at the external interface headed to 192.168.0.10, they will be routed. Further, the replies will come back without being NATted, because the kernel is doing stateful inspection, and it will know that the reply to a "normal" connection shouldn't be tampered with.

I use this functionality all the time, so I know exactly what I'm talking about.

Right..

[mindstrm]

And that's the point.

The original posting mentioned that nat would be around because he "Liked being behind his NAT firewall"... my point was only that NAT has nothing to do with it... and that what he really likes is the firewalling, not the nat.

I'm not trying to bash NAT products, or say NAT is bad.. just that.. we are talking about whether or not we will be using NAT so much in the future, and a LOT of people are thinking and saying "YES, because it's secure" which is wrong.

In the future, I bet we will still have little SOHO firewalls.. but we won't be using the NAT feature.

Please don't call it the Interweb

[guardian-ct]

Web != Net. There are other protocols out there than HTTP, ya know.

Ah!

[TheLink]

Ah, ok I get what the original poster means.

If the NAT device also behaves as a normal router then without any firewall rules it could forward packets destined for the internal network.

OK my error.

Firewall good, NAT bad

[nsayer]

It astonishes me how people believe that they derive security from NAT. It's like saying blind folks are fortunate because they don't have to see ugly things.

It is trivial to achieve the same level of security in a firewall as you get with NAT. IPv6 will need firewalls just like IPv4 does. The difference, however, is that if you *want* to allow a certain type of communication to more than one hosts behind the firewall, you don't have to do a bunch of tortured port mapping nonsense (which often isn't good enough).

NAT breaks the Internet. If you like NAT, you should be using AOL instead.

Re:Firewall good, NAT bad

It is trivial to set up a software firewall; but I don't see anyone arguing against that here.

It also doesn't protect you from every threat, but I don't see anyone arguing against that here either.

What it does do is let a home user with a few machines (that they turn on and off) not have to worry about firewalling each one, without the expense of an extra computer running 24/7 just to stop inbound packets.

It also puts the firewall outside the machine, which is nice for those of us who are greedy for CPU cycles (like I wait hours or days for animation to render).

Re:Firewall good, NAT bad

[Gojira+Shipi-Taro]

ipv6 isn't commonly used now, and NAT is the only solution for home users. It's a "mexican standoff" People are not going to switch to ip6 until it's widely used, and it won't be widely used until people switch.

I'm not shelling out for new hardware for that purpose either. (I'll probably set up an IPv6 firewall on a Linux box when the time comes though)

My network works for ME today. I don't give a single shit if it "Breaks" things for people that want to peek at my network.

Re:Firewall good, NAT bad

[nsayer]

So it's not the NAT that you like, it's the small little box that sits between you and your cable or DSL.

So long as you admit that you would be equally well served if the little box did 6to4, IPv6 firewalling and NATPT, I'll happily agree: It's nice to have a little box from Netgear instead of a PC do the dirty work.

But given your agreement to the above, it's not NAT that you want. You're just willing to put up with it because you don't currently have a choice.

Re:Dont' prepetuate myths. -- Intellectual Agenda

you have an agenda. You have an intellectual agenda. I know it's routable but currently not by agreement.

But you forgot the current result is that it's not routable.

ok...someone try to reach my 10.10.10.3 machine ...hard to do isn't it?

IAX goes through Firewalls

Asterisk uses the IAX protocol which goes through NATs without problems. That might be the way to go.

Correction: NAT is 20% of a firewall

[axxackall]

In my file of iptables rules 20% rules are related to NAT and forwarding, while 80% are related to in-out access in general. I've got my first rule-set from one of examples from the netfilter documentation, applying some specific changes, but even in the original file 80% of rules were about access in general, not NAT/forwarding specific.

Also, you can check the configuration of netfilter in your Linux kernel, or even the netfilter source code: less than 20% will be about NAT.

So, where did you get your knowledge about "80% of a firewall is NAT?"

Re:Correction: NAT is 20% of a firewall

lol no shit I've got about 100 lines in my OpenBSD pf.conf, and 1 of them is for NAT

Why it's not a myth

[amcguinn]

Fundamentally, you are 100% correct. NAT provides no security that simple filtering can't do better.

However, practical security is about more than fundamentals. It is about what happens when you screw up.

I have a gateway with filtering. If I mess up a config, my gateway might come up without the iptables rules, and I might not notice for ages.

However, all the workstations I use are NATted, (All things being equal I would prefer that they weren't, but the charges from my ISP would be far from equal), and if the NAT is accidentally deactivated, I'll notice pretty damn quick because nothing will work.

Yes, you could say "If you screw up your config that's your own fault, you're incompetent", but a large proportion of real-world security breaches are caused by administrator errors, and a security system that is more resistant to errors is "more secure" by reasonable definitions.

Having said all that, your point about the ISP being able to route directly to your internal IPs is a good one. Luckily (because I hadn't really thought about it), my iptables setup will reject any such packets.

Re:Why it's not a myth

[God!+Awful+2]

Having said all that, your point about the ISP being able to route directly to your internal IPs is a good one. Luckily (because I hadn't really thought about it), my iptables setup will reject any such packets.

Right... because your ISP is *so* likely to do this.

-a

Well, gnutella and MBlaster are doing well

[iamacat]

So I don't see NAT dominating the Internet. I assume most people will just use a PC with two ethernet cards rather than dedicated routers and use that PC for stuff that requires incoming connections.

I suspect the author is just bitter that his stuff is not popular anymore. Even if it's possible to talk peer-to-peer, instant messangers with hosted servers are more convinient to use.

Well, its a free world, but he should have asked if anyone wants to take over the project and then forward the links to that person.

Re:Well, gnutella and MBlaster are doing well

> Well, its a free world, but he should have asked if anyone wants to take over the project and then forward the links to that person.

If you'd bothered to RTFA you would know that he's asked many, many times for additional development help, and gotten no responses. He's doubtful of SpeakEasy's future exactly because of the lack of developer interest. All the project materials are on SourceForge and will remain there - question is, will anyone care to take up the development?..

Re:Well, gnutella and MBlaster are doing well

Man, that must be a slap in Brian C. Wiles' face. The program's name is SpeakFREELY, not SpeakEasy (as mentioned in other threads as well). SpeakEasy is, among other things, a broadband ISP.

Re:Well, gnutella and MBlaster are doing well

[nadaou]

Well, its a free world, but he should have asked if anyone wants to take over the project and then forward the links to that person.

They have:
speak-freely.sourceforge.net

links & mailing list archive need to be recursively wget'd, compressed and posted to sf.net at minimum.

I'm stil confused

[blonde+rser]

Can you explain how with your simplified linux boxen SNAT a packet could make it's way to an internal computer and initiate a responce. What I don't see is why the linux box would rename the address of an inbound packet to the local address of an internal computer if the internal computer did not initiate anything. So a packet is addressed to a certain port to the external ip x. I don't see why the linux box would change the address ip to 192.168.a.b and even if it had a reason how would the outside attacker specify 192.168.a.b from 192.168.a.c. Sure the attacker could compromise the linux box itself and once compromised attempt to compromise an internal computer. But this is more secure than if the attacker didn't have to compromise the linux box itself. Sure this might be equivilant to a screen door with a lock on it but that is not the same as offering no security.

Re:I'm stil confused

[Nurgled]

The linux box doing the NAT is also configured to route packets. On your LAN, you would configure the "default gateway" to be that box, and thus cause any packets not destined for an address in your LAN subnet to be sent to the NAT box for routing.

Imagine if a computer at your ISP had a route added to its routing table which causes 192.168.0.0/16 to be routed to your external IP address. This computer will now send any packets destined for an address in your LAN subnet to your router, which will inspect its routing table and see that, for example, 192.168.0.0/16 is to be transmitted out of interface eth0 onto your LAN.

The way you stop this is to configure the router to drop packets on your Internet-facing interface which are addressed to internal hosts. Once you do this, you are using a packet filter (ie a "firewall") in addition to NAT.

Re:I'm stil confused

The route would be set to the external IP address, but packets are actually addressed one level below IP, to the MAC address of the interface with the route's gateway IP. I think what confuses people about IP routing is that the router's IP address is not in the packets which pass through the router. People tend to ignore the transport layer.

Re:I'm stil confused

[Uerige]

The only reason your isp would want to route directly to your 192.168.x.x address is to find out if you are connecting a single computer or a LAN to their modem. Many people have licenses that restrict plugging home LANs into the modem.
Remember: You're at your ISP's mercy anyway so why bother?

Re:I'm stil confused

[Nurgled]

I was simplifying a little. I didn't really want to bring up Ethernet when the OP was clearly confused enough about IP as it is.

However, on most cable systems you share one broadcast medium with a bunch of other customers, all of which would be capable of addressing you at the transport level if they wanted to. (Actually, in many cases they'd be addressing the cable modem rather than the router, but there exist devices which do both)

Re:I'm stil confused

[Nurgled]

Remember that your neighbours are on your ISP's network too. Do you trust them all?

Re:I'm stil confused

Excellent point: Cable modem users, not only your ISP but also your neighbor may be able to see through your "secure" NAT box. Better check those iptables rules.

Re:I'm stil confused

[Thomas+Charron]

Imagine if a computer at your ISP had a route added to its routing table which causes 192.168.0.0/16 to be routed to your external IP address

Ok, I will. Here, lemme go look at my NAT box setup now..

Ok, it's public IP is 66.32.64.0, netmask on that interface is 255.255.248.0. (Yes, I changed a number or two to hide the real IP)

It's internal adapter is setup for 192.168.0.1, with a netmask of 255.255.255.0.

Lets follow this. Packet comes is recieved by the ethernet adapter. The driver gets it, and for some magical reweason, it's transmitted directly to my MAC address.

Software gets it. Software says 'Oh wow, look, someone elses packet, I wont process it becouse it doesnt match my '1 simply rule' to be 'mine'.
*software promptly tosses the packet over it's shoulder, into the pile of ever other packet that it found wasnt addressed specfifically to it*

As they say in grade school, read a book, learning is fun..

Re:I'm stil confused

You don't understand IP routing. A Linux NAT box has ip_forwarding enabled. That means that it, get this, accepts packets which arrive at one of its interfaces even though the packets have a different destination address than one of the router's (or NAT's) IP addresses. That's its job, believe it or not. The magical reason which makes the packet show up at your MAC address is called ARP. Look it up.

Re:I'm stil confused

[Uerige]

What does that have to do with my neighbours? They can't change my ISP's routing tables, can they? Why don't you think before posting?

Re:I'm stil confused

They don't need to. On many cable systems, they're in the same broadcast domain and can address your modem directly.

Re:I'm stil confused

Uerige writes: Remember: You're at your ISP's mercy anyway so why bother?"

Not from a security point of view. It should be possible to set up your computer securely without necessarily having to trust your ISP. I wouldn't want a disgrunteld employee of the ISP entering my network to read credit card numbers or anything like that.

And as mentioned, that's what firewalls are for, not NAT.

H.350 standard by ITU ?!

[Phoinix]

I have used SF for ~ 8 yrs and over a slow connection, no other program came close especially with the new CELP compression protocol.

Can some one explain how the new H.350 standard by the ITU (International Telecommunication Union) will influence programs like SpeakFreely.

http://www.itu.int/osg/spu/newslog/categories/vo ip /2003/09/04.html#a174

http://www.nwfusion.com/news/2003/0903ipvid.html

Thanks

Unknown software...

The amount of available free software is overwhelming. I used to be able to scavenge most of those cool things that become news, before they became news [ :-) ]. Not anymore.

Now, even Freshmeat is too fast for me. I pity those corporate fellows with month long cycles of product evaluation. They don't have a chance.

We are coming to a regrettable state in which the "brand", the "griffe" -- be it Gnome or KDE -- starts to influence how much an application is known. While I don't argue that is important, this should not come in the way of a potential killer app.

But what is the solution? I don't know. Maybe more people creating entries at dmoz/Google directories...

Re:I know I enjoy the added security of a NATed fi

[pHDNgell]

What NAT is, is convenient.

I have to disagree with this point. I find it rather inconvenient.

Consider my IPv6 network. I get all of the benefits you describe (plugging in a new machine and having it magically appear on the network), except it does so with real, routable addresses.

Internet is becoming another channel of your TV

[big-magic]

It's sad, but I agree with John Walker's analysis. The Internet is slowly turning into another channel of your TV set. And since 99.9% of the population doesn't care, I don't see anything changing this trend. Unfortunately, this will make true peer-to-peer services very difficult.

And he's right about powerful forces at work here. The government, major content providers, and software vendors want you to be a consumer. As long as there is a clear separation between client and services, it makes it easier to control. If they don't like something, they just shut down the central service, and it's gone. That's much more difficult in a true peer-to-peer environment.

The Evil Media Conspiracy

[fm6]

The user is demoted to acting exclusively as a client. While the user can contact and freely exchange packets with sites not behind NAT boxes, he cannot be reached by connections which originate at other sites. In economic terms, the NATted user has become a consumer of services provided by a higher-ranking class of sites, producers or publishers, not subject to NAT.

There are powerful forces, including government, large media organisations, and music publishers who think this situation is just fine. In essence, every time a user--they love the word "consumer"--goes behind a NAT box, a site which was formerly a peer to their own sites goes dark, no longer accessible to others on the Internet, while their privileged sites remain.

Well, this isn't totally paranoid. The "powerful forces" are real enough -- I've ranted against them myself. But to blame them for network blakanization is extremely naive.

Sure, NATs screw up P2P applications. But you don't see the media monopolies demanding that everybody install one. No, they want all the content to be "managed" and to make it illegal for anybody to get around the management. A lawyer-and-technomagic solution. Which is itself pretty naive. Won't work in the long run, but extremely dangerous to society in the short run. Which is something we need to deal with -- and inventing new conspiracies to blame (admitedly evil) people for doesn't help.

So what drives the use of private networks? Hackers (I refuse to call them Farmers From Georgia), Script Kiddies, and Spammers. They want to break into your system and do silly things with it. A NAT is the simplest, least headache inducing protection against these folks. Yeah, you can always use a firewall. But firewalls are a pain to deal with -- you're constantly trying to solve the tourist-or-terrorist problem, and usually getting it wrong. I'd rather use a NAT and do without the P2P software.

As would most users. All these strange and arcane P2P applications are insteresting, but very few people can be bothered with them. For the same reason Ham and CB radios never replaced the telephone system.

The open Internet is an outdated concept on many levels. Security is just one of them. A bigger issue is scalability. If you want to make some kind of service available on the Internet, you do not want to put the service on your own machine and then publish your address. Not if you expect any real response. I mean most of us have heard of the Slashdot effect, right? There are also issues of data backup, etc. For these things, you go and pay a few bucks to somebody who can offer the necessary, expertise, scalability, and so on.

On the other hand, you offer services on a private network very easily. But that's only practical because your private network is isolated from the network at large.

It's too bad the Internet is no longer the friendly little place it was when SpeakFreely was invented. But it's moved past that, and you can't go back, not without kicking of 90% of the users. It's especially unproductive to blame the problem on the media monopolies. We've already got plenty to blame them for!

NAT nonsense

[penguin7of9]

While the user can contact and freely exchange packets with sites not behind NAT boxes, he cannot be reached by connections which originate at other sites. In economic terms, the NATted user has become a consumer of services provided by a higher-ranking class of sites, producers or publishers, not subject to NAT.

Even cheap consumer firewalls allow you to accept incoming connections and run services. Furthermore, despite a lot of noise, most broadband providers do not seem to block incoming traffic; too many games and other popular software rely on it.

The only thing that NATs change is that services should be more flexible in the ports they will work with: when you have multiple machines behind a NAT box, you end up having to assign non-standard ports to services if they are being offered by multiple firewalled machines.

I agree that the trend towards relegating end users to a "client" status is disturbing, but NAT is not primarily responsible for that. Inventing bogus technical arguments will not help us reverse that trend.

RE: Teamspeak

[King_TJ]

Yeah, my wife is seriously hooked on playing Shadowbane, and I've noticed most of the "more effective" clans in the game agree to run Teamspeak while they play. That way, they can form attack strategies and figure out amongst themselves which character attributes are best to have against other types of characters.

It's almost become the unofficial "other half" of a Shadowbane installation, for anyone serious about playing the game.

Thank you

[mst]

I feel a bit more optimistic now :-)

Re:Dont' prepetuate myths. -- Intellectual Agenda

[asdfghjklqwertyuiop]

But you forgot the current result is that it's not routable.

ok...someone try to reach my 10.10.10.3 machine ...hard to do isn't it?


http://www.iss.net/security_center/advice/Underg ro und/Hacking/Methods/Technical/Source_Routing/defau lt.htm

That method will not work if you have a quality firewall. But the reason for that not working has absolutely nothing to do with the fact that you are NATing.

Re:I know I enjoy the added security of a NATed fi

[Moofie]

Yeah, nice, but you can't exactly get one of those free with a box of Cheerios.

IPv6 will be grand...when I can buy it for a reasonable price from my ISP. It's disingenouous for you to say "Well, just use IPv6!" when that's simply not an option for the overwhelming majority of Internet users.

Re:NAT & fresh windows installs

Because you don't have NAT doesn't mean you don't firewall your network. You could have a physically Identical setup which does the same job, but with "real" ip addresses for each machine. And theres no reason why the firewall can't do dhcp (so you don't have to configure it)

Real (but firewalled) ips are nearly always better than your usual nat setup (unless you don't want people to know how many machines you have.)

RFC 2775, Internet Transparency

[Graabein]

From RFC 2775:

Abstract

This document describes the current state of the Internet from the
architectural viewpoint, concentrating on issues of end-to-end
connectivity and transparency. It concludes with a summary of some
major architectural alternatives facing the Internet network layer.

[...]

3.5 Network address translators

Network address translators (NATs) are an almost inevitable
consequence of the existence of Intranets using private addresses yet
needing to communicate with the Internet at large. Their
architectural implications are discussed at length in [NAT-ARCH], the
fundamental point being that address translation on the fly destroys
end-to-end address transparency and breaks any middleware or
applications that depend on it. Numerous protocols, for example
H.323, carry IP addresses at application level and fail to traverse a
simple NAT box correctly. If the full range of Internet applications
is to be used, NATs have to be coupled with application level
gateways (ALGs) or proxies. Furthermore, the ALG or proxy must be
updated whenever a new address-dependent application comes along. In
practice, NAT functionality is built into many firewall products, and
all useful NATs have associated ALGs, so it is difficult to
disentangle their various impacts.

You don't get it.

[mindstrm]

And I don't want to keep repeating myself.

NAT is not firewlaling. NAT provides NO security.

What security you DO get from the average NAT-in-a-box device, firewall, whatever, is not because of NAT but because of OTHER rules and things put in besides NAT.

Quoting that RFC number sure made you look smarter. I'm talking about a threat from your ISP, not from me across the world.. you have no way of controlling whether or not that route exists... and assuming "RFC 1518 says they aren't routed normally on the net" means if I use those addresses, I'm safe, is rediculous.

A single NAT rule is not enough for anyone out there, and you won't find many devices in the home or business market (other than load balancers) that use JUST a nat rule.. all of them have other security measures in place, either built into the default nat setup, or put alongside it by default... but be very clear, nat is not a necessary component to get the same security.

The article referred to not needing nat in the future. Then the guy says "I wont' be quick to give up my NATed firewall." implying that the NAT has something to do with it."
All the security he wants, he gets without NAT... so his allegation that NAT will stay because of his need for a firewall is absurd.
Get it? Look at the topic.

Another anti-NAT rant: motd on irc.homelien.no

[Graabein]

This is from the motd on irc.homelien.no:

"Second, we get overwhelmed by requests to add special access for
LAN parties and small businesses running NAT (for the
illiterate, if your IP address starts with 192.168. or 10., you are
probably running NAT -- and your personal freedom is severely
restricted).

Please understand; our answer will always be NO. It always has
been, and it always will be. I will try to put this in simple
terms; NAT (Network Address Translation) and similar "technologies"
(masquerading, etc) are detrimental to the Public Internet.

NAT destroys the end-to-end transparency of the Internet. If you
do not understand this or the ramifications of this, please READ
UP ON IT and make up your mind. It is a short-term, detrimental
solution to a long-term problem which is most easily solved by
USING UP ALL AVAILABLE IPV4 ADDRESSES AS SOON AS POSSIBLE to force
a transition to IPv6.

irc.homelien.no will never succumb to the incompetence of
consultants. We do, however, realize that a number of our users
actually constitute part of the technician and consultant
community. If you want to give us something in return for
providing this service, increase your awareness of the above
issues. Short and to the point. --edison, Oystein Homelien"

(irc.homelien.no is a popular server on EFnet)

Make your own judgement

[anti-NAT]

Quoting the RFC is easier for me than desribing my experience.

However, briefly,

a) I first implemented NAT for a customer of mine in 1995. NAT broke their application, because IP address information was embedded inside the payload. That was my first sign something was wrong with NAT.

b) I've seen a 10 000 user network crash because the powersupply in the NAT box failed. At the time there wasn't an alternate path, but if there was, the NAT boxes would have some sort of proprietory state sharing protocol, and the boxes would have to be directly connected together - which provides a geographical limit as to how far apart the NAT boxes can be. Too bad if you want to have diverse geographical Internet connections.

With dumb old routers you can do this easily, because they don't maintain state, and therefore would operate independantly of each other.

c) Approximately a year ago I spent two _months_ solid working on NAT for VPN solutions There something in the order of 50+ different combinations of VPN toplogogies, and NAT options. It was a Brain F**k.

All that work could have been avoided by just using unique public address space.

I'm not to worried what the slashdot audience thinks of my opinion, I suspect most of them are aged between 14 to 20, and don't have much or any real world experience.

Re:Make your own judgement

[Gojira+Shipi-Taro]

a) I first implemented NAT for a customer of mine in 1995. NAT broke their application, because IP address information was embedded inside the payload. That was my first sign something was wrong with NAT.

Nope. Something was broke with their application. b) I've seen a 10 000 user network crash because the powersupply in the NAT box failed. And the network connection wouldn't have blown up if the IPv6 router's powersupply failed? please. c) Approximately a year ago I spent two _months_ solid working on NAT for VPN solutions There something in the order of 50+ different combinations of VPN toplogogies, and NAT options. It was a Brain F**k. Sounds like the whole thing is too difficult for you and you're in the wrong line of work. It's not designed to be easy for a carreer salesman to plug and play. It's designed to do it's job and seperate the PRIVATE address space from the public address space. All that work could have been avoided by just using unique public address space. So because you can't grasp relatively simple concepts, we should all reduce our security for your benefit? Sorry, no. You are indeed a troll. I know real world experience, and the only guys I have ever met who had the kind of "problems" you had are carreer salesmen with minimal technical knowledge trying to function as Sales Engineers, when they're not mentally capable of doing so.

Re:Make your own judgement

[anti-NAT]

I was paid approximately $100K p.a. to work on the largest ISP's IPSec VPN product, as a Senior VPN and Internet Security engineer. If I don't know what I'm talking about, I managed to fool them for two years.

Absolutely agree

[anti-NAT]

Try running two SMTP servers behind a NAT box - which one are you going to map TCP port 25 to, and which one isn't going to receive external email ? All you NAT-lovers, solve that one ... (and no, you are not allowed use a single SMTP server, for security reasons for example).

Re:Absolutely agree

Try reading the fucking RFC's - I have multiple Public IP's mapped to multiple machines or stubbed onto VLAN's, all behind a single NAT box. Two public IP's map directly to machines running SMTP.

You are clearly a moron!

Nope.

[mindstrm]

Okay... good example.

let's assume eth0 is "outside" 66.32.64.1, say... and eth1 is "inside" 192.168.0.
The behavior you stated won't happen unless there is an additional rule to block packets arriving for other addresses... becaues

a) forwarding is on
b) the kernel has a route to 192.168.0.0/24 to eth1.. so it has somewhere to forward the packet.

Internet doomed, filmed at 11

[kindbud]

I know I enjoy the added security of a NATed firewall, and without a really good reason, I won't be quick to give it up.

Well, if "it breaks worthwhile applications" isn't a good enough reason to dump NAT when it's no longer really needed, then there's not much hope, is there?

Re:I know I enjoy the added security of a NATed fi

[jaywee]

Actually, NAT can be serious security flaw, if poorly configured, especially with the rise of wireless networks.
1) Someone walks into your AP range - he gets hidden behind your NAT IP -> absolutely no clue where the traffic came from.

2) If the NAT is improperly configured (and it mostly is done so) it can be used for hidding in a different way. If you have wireless network with public IPs, and bunch of "customers" using their NAT boxes, one can set the NAT box as a gateway on his malicious wardrive notebook and the NAT box will happily accept such packets (even when from wrong interface) and NAT them...

Wow

This was announced months ago. About time Slashdot caught up. Try OpenH323 or something.

Replace it (and the ancient PGPfone)

[Phantasmo]

Although I never got SF working (guess why? NATs), I'd always admired it for including encryption. Maybe now's our chance to write a portable clone of PGPfone.

Call it GPGfone... but more clever.

But dropping support is not a solution...

[Otto]

however, what happens when i want to have two machines inside the network both serving content?

well, i could have the NAT box forward all connections to port 80 to 10.0.0.2:80 and port 81 to 10.0.0.3:81. however, this mythical protocol that uses port 80 has a lot of clients implementing it that are stupid and always assume port 80 is the one to connect to. all of a sudden, binding a forward to port 81 isn't an option.
As I see it, this is a problem that solves itself, over time. I mean, when there's a problem, solutions are created.

For example, in NAT, there's the problem of user stupidity. Not knowing how to forward ports, for example. uPnP is only the most obvious solution to this, and while it's not very widespread, it *is* a solution that will take hold over time. Most home level NAt boxes support uPnP pretty well now, and several client programs now are starting to support it. Microsoft's various clients are the most obvious of these, I grant you, but uPnP does work to solve the problem. It lets the application forward ports on it's own, without help from the end-user.

The problem you address is one of multiple similar services behind a NAT box. Given that you have one external IP, clients that take the port for granted don't have the easy option of choosing which service they're talking to. This has two possible solutions:
a) Get someone in the network administrator position who has a freakin' clue and won't be using a cheap and simple NAT box for all their internet access to the company, but will instead use a real firewall and router and will therefore give those boxes external IP's of their own, or at least route different IP's to those boxes.
b) Make smarter client applicatons.

Solution A is the one most usually implemented. In a company I used to be at, we had this exact problem. We wanted to run a new webserver for our section of the organization ourselves. So we convinced the network admins that we had a need for it, and eventually they pulled a real IP address out of their uplink's block of IP's and set up rules in the firewall to route those connections to our internal IP'd webserver. Problem solved. Of course, we had to secure that server and convince them of the fact in order to get them to do it, but then that's the way it's supposed to be anyway. This sort of thing is what a router is made to do, no?

Solution B is taking shape more slowly, but newer applications don't make assumptions like the IP address is real, and so forth. The reason things like ALG's are needed is that applications made an assumption which is no longer necessarily valid, and then did something like passing the IP address around between machines in the application data level of the packets. There's simplistic fixes for this, like providing a configuration setting to override what the IP address should be, and complex fixes like auto-detection of internal addresses and using other methods to detect the real external IP address.

So, solutions are available, just not yet widespread. The NAT problem the original article mentions is real, but blaming it for discontinuing your work on a project is disingenuous at best. The truth is that the author is too lazy to properly investigate the available solutions and then help to promote them correctly. Old obsolete software and protocols must make way for the changing face of the internet and the network.

NAT

is absolutely fucked

for your firewall just put

iptables -t filter -m state --state NEW -j DROP

that's *all* the functionality that NAT gives you.
For all those singing the praises of NAT - you are fucking idiots

Nope

[denjin]

How would this work?

It still knows where the packets are supposed to come from. By default it would not accept packets from your internal network if they came from the outside and entered the wrong interface.

Re:Nope

[Nurgled]

That depends on what you mean by "default". By default it wouldn't do any routing at all, but you have to enable routing to use NAT, and unless you then add some firewall rules to stop it routing from the external interface it will forward between all interfaces regardless of source and destination so long as there's something in the routing table telling it where to send the packets.

The routing table will tell it to send packets in your LAN subnet out on the LAN interface, so that's what it will do.

No myth

[fm6]

NAT is about address use, not security. In no way should NAT ever be confused with security, even if it appears to give you some security.

But it does give you security, by making your network inaccessible. (If you can't connect to a machine, you can't hack into it.) Maybe that's not what it was originally meant for, but so what?

Some time during the thirties, some German company manufactured a meat locker, which was installed in Dresden. During the war, it was sometimes used as a lockup for POWs. But in the end, it did a really good job as a bomb shelter. A barrier is a barrier.

There are roughly 100 messages in this discussion saying, "but they don't keep out viruses." Well duh! It's also true that a kevlar vest won't keep out another kind of virus. Yet cops and soldiers persist in wearing them. Could they all be superstitious? Misinformed? Or maybe a virus isn't the kind of penetration they're worried about.

Re:What's NAT have to do with addresses per machin

[petard]

I understand that. Most single-family residential internet access customers still use IPv4 :-).

I was replying to the assertion (by CowboyNeal in the OP) that people would wish to maintain this once IPv6 becomes common. At that point, every home user should have hundreds of addresses available, and IMO, even if the benefits of NAT are desirable, it will be better to NAT one-to-one.

Exactly right

[Spinality]

> A NAT is the simplest...protection.... I'd rather use a NAT and do without the P2P software.
As would most users...[just as] Ham and CB radios never replaced the telephone system -- fm6

I understand the mentality that says "everybody should be a peer to everybody" on the Internet. That's the architectural model. It's a good one.

But when you need to get Nicky Naperville's little office up and running and connected, you don't want to a) make him hire a net tech to worry about a firewall and proper security, or b) sign up to do it yourself (unless you get paid for this service). For a large segment of the Internet, clueless administration is the norm -- and this won't get any better. We might as well expect them to understand two's complement arithmetic or write their own parsers. Anything that (optionally) protects these folks from themselves a little is good. They have become the dominant Internet clients.

Like it or not, we've had an enormous 'dumming down' of the 'net, and no amount of wishing will make it back into a hacker's paradise. Trying to do that is incredibly elitist -- even more than the admittedly elitist step of dividing the world into clients and non-clients.

The legit fear is that, once the client/non-client distinction is made, that the big boys will chase out all the hackers, and force us to become castrated clients. "You can't have your own IP address. You can only send approved protocols. You can't use IP tunneling. So there." Lots of ISP's force their customers into highly restricted interfaces and protocol sets. This is a dangerous trend.

But we can't put the djini back in the bottle. NAT and private intranets are just too damn convenient. I won't consider getting rid of any of mine. We need a different way to protect our informational rights (a formless concept).

what about uPNP?

[r2000]

This was designed to solve this issue, you get state information about the connection (external IP and speed etc) and are able to control the connection if thats enabled. You can setup incoming NAT redirection remotely using it. Why does noone like it? Oh yeah, microsoft had a lot to do with the engeneering of it.

Your missing the point

The Network Address Translation effects the author speaks of, is increasingly done by your ISP. He is not talking about NAT routers that consumers setup for IP sharing or protection. This is a distinct point that could have been more clear in the article.

When the author talks about port mapping, he speaks of the ISP mapping a port through their NAT router to your IP without which a server could never be hosted in the classic sense.

This is what the author refers to in the changing infrastructure of the internet that increasing precludes peering as a communications option. That the fundamental and original internet infrastructure is changing as a result of ISPs adopting NAT routing so that most user connections only support computers in the role of clients, not peers or servers.

The author understands that in this changed environment, his software cannot continue to function for it is based on a premise that is disappearing rapidly. The only solution would be to establish a central server would is not cost effective in this instance. What Internet infrastructure would support in the early 1990's is no longer true today and the outcome is that his program will die since the environment needed to sustain it no longer exists.

This is a loss for us all since we are not treated equal, with most users relegated to the simple status of client consumer as a general class with the internet reduced to little more than a digital distribution network for paid content and services. A great deal of that loss stems from computer to computer communication requiring a third party intermediary.

SpeakEasy sounds allot like a forerunner to VOIP telephony. With VOIP looking like the next big thing and the peering model going down the drain, there is a requirement for vast third party server farms to facilitate this application of technology. This fits the business model of the Bells and the Cable companies selling bandwidth and services perfectly. As the author notes, there will be no imputus to discard NATing even with the adoption of IPv6. Quite the contrary it would seem.

Re:I know I enjoy the added security of a NATed fi

[pHDNgell]

IPv6 will be grand...when I can buy it for a reasonable price from my ISP. It's disingenouous for you to say "Well, just use IPv6!" when that's simply not an option for the overwhelming majority of Internet users.

I got an IPv6 over an IPv4 tunnel over my cable for free. You can, too.

But yeah, my point is that it's not ``the internet,'' just yet. When it is, we can do away with all this NAT/PAT crap.

Re:NAT & fresh windows installs

[3.1415926535]

(unless you don't want people to know how many machines you have.)

You can do the same thing by having many more IPs than you actually use. You can even cycle through them as a form of obfuscation. (Although there is, of course, no security through obscurity).

Re:I know I enjoy the added security of a NATed fi

[evilviper]

There's no added security to NAT. A nat box that blocks incoming connections is no more secure than a router that blocks incoming connections.

In fact, I would say that NAT provides the illusion of security.

If you have a NAT, which doesn't do advanced stateful packet filtering, then you can be reached. Something simple like source-routed packets can allow someone to connect to your internal network, no problem at all.

Even if you are set to reject all source-router packets, there are plenty of other tricks. All someone needs is access to a machine on the same network as you, and they are in, without much hassle at all.

Right now, NAT provides a slight ammount of security over nothing at all, because worms and amatures aren't smart enough to break-through it. However, it wouldn't be hard to add a couple lines of code into a worm, and suddenly it is able to get through all NATs connected to network the rooted machine resides on. Enjoy the rooting.

What NAT is, is convenient. I have my router box equipped with NAT and DHCP.

You see, now there's the mixup right there. It certainly isn't NAT that you find convient, but DHCP! (I find DHCP incredibly inconvient in 99% of cases myself, but to each his own).

Now, with IPv6, DHCP is done-away with completely. You have ample IPv6 addresses, and IPv6 has a built-in method to automatically chose an available address.

In other words, once IPv6 is a hit, NAT is long gone.

And it works 99.9% of the time for me.

MANY people have FAR worse luck that you. As usual, just because you don't need something, doesn't mean it is unnecessary.

Besides, with IPv6, it will work 100% of the time, no proxies, no NAT, no other hacky-crap.

Also inventor of Hacker's Diet

[mattr]

John Walker is also the author of a fascinating set of free programs and book on dieting called the Hacker's Diet in which he discusses a realistic way to lose weight while remaining healthy, using techniques of project management which have served him well in other fields of endeavor. Check it out! (I have the Palm version running myself and have lost 6kg)

I have no peer

[fm6]

The legit fear is that, once the client/non-client distinction is made, that the big boys will chase out all the hackers, and force us to become castrated clients. "You can't have your own IP address. You can only send approved protocols. You can't use IP tunneling. So there." Lots of ISP's force their customers into highly restricted interfaces and protocol sets. This is a dangerous trend.

Good point. You've just described a yet another kind of NAT imposer. Which makes three. There might be more, but lets talk about the ones that have come up in this discussion

1. The evil media conspiracy, that wants to change the internet into producers (servers) and consumers (clients). Perhaps somewhere some corporate type is touting this as the future model of the internet, but I haven't seen it. In any case, it's silly to blame internet balkanization on them. Groups two and three are the real culprits.

2. ISPs and such that, as Spinality puts it, want all their customers to be "castrated clients". Yeah, this sucks, and we do need to do whatever it takes to prevent this from becomming mandatory. But while doing this bear a couple of points in mind: (a) most users could give a shit; (b) these restrictions are motivated by very legitimate concerns. Which suggests that more sophisticated users will eventually have to resort to specialized ISPs, like Speakeasy.

3. People doing their own LAN, for whom private networks are a clean, simple, and effective way to keep the script kiddies offsite. It's not the right solution for everybody, but it is for most people.

Greed is greed, even on IPv6

[yerricde]

I was replying to the assertion (by CowboyNeal in the OP) that people would wish to maintain this once IPv6 becomes common. At that point, every home user should have hundreds of addresses available

What makes you think, even though IPv6 theoretically has 2^128 addresses available, that residential ISPs won't try to charge extra for more than a /128 (i.e. one address)? Greed is greed, even on IPv6. Sure, all the RFCs state is that ISPs should give customers a /64 or bigger, but where the ISP sees should in an RFC, the ISP thinks "opportunity to fleece its customers," especially if the ISP is a Fortune 500 corporation, as is the case for almost all cable ISPs.

Re:Greed is greed, even on IPv6

[petard]

I hope that because none of these ISPs (yet) produce their own hardware or configuration software, hardware manufacturers and application programmers will default to following the "shoulds" in the RFCs. Few ISPs will bother to deviate from these defaults at first. If we're lucky, this will lead to people getting used to a /64 and rejecting an ISP where their microwave, refrigerator, tivo, PDA, telephone and all 4 of their PCs can't have routable addresses so they can control them from the office.

I know what you mean about cable ISPs, though. I just got rid of mine because their business practices made me so angry. This seems to be creating a market in itself, though. For example, speakeasy.net touts its "liberating policies" on the front page, along with the statistic that 6 out of 7 new subscribers come from another broadband ISP.

WTF is Natural IP doing

[fnj]

I just went there and can't figure out squat.

That is one of the most annoying sites I have ever visited. Even the FAQ doesn't reveal a single piece of useful information as to how it works.

Anybody know?

Go ahead, click the link if you dare

[fnj]

Parent has posted a naughty link which is obscured.

This makes me question the entire TinyURL idea.

You're relieving your bladder into the wind

[fnj]

"Please don't use NAT! "

My subject says all that needs to be said. The world is ignoring your plea, whether or not I agree to heed it. I think we need to deal with it.

Correctimundo

[fnj]

An external, compact and convenient box is the best choice for most of us. Whether it uses NAT or not is an implementation detail. Most of them are going to use NAT for a long time to come, and that is something that needs to be dealt with.

Re:NAT & fresh windows installs

[heavyVoid]

You are justifying the use of NAT to avoid the problems that a broken operating system such as Windows has?

So you are "fixing" windows network flaws by isolating yourself from the internet?

I can't believe we got to the point were a user just can't share a directory or a file through the internet without needing such viscuios ways of hiding itself through firewalls.
Did anyone but me feels this as a Windows design flaw, instead of a problem in all other OS's..

I use debian GNU/linux at home. I share what i please without needing a firewall. I only have a firewall for fun of researching on it, and i have fun stopping, starting it, stopping it for days, idontcare.

I regularly connect to remote Linux servers in other countries to do some CGI/php/perl work on them, and I notice they are not behind firewalls, and are online for months or more. This servers never met the blaster or whichnameitis worm.

What does the 135 port mean? WINDOWS RPC. So what the f**k do i need to block it? I laugh at the blaster worm.

--heavy