So, you can connect to the sshd on my 10.0.0.31 box that is behind a public IP attached to a NAT'ing device? (No you can't any neither can anyone else without compromising the device performing the NAT'ing.)
Yes, actually I can. What I'd first have to do is figure out your public IP address, then I'd attempt to compromise another machine within one hop of your own. If I do that, I set up a route to 10.0.0.31/32 gatewayed to your public IP address, and voila, I'm in. I don't have to compromise your NAT router at all, I only need to compromise a machine within one hop of it.
A lot of broadband connections nowadays basically put all subsribers in a particular area in one big virtual ethernet... so in cases like that there may be quite a few options for someone to get into your network if you aren't doing filtering along with your NAT.
It causes packets that don't have a port redirection rule, to a private IP/port tuple, on the public interface to be dropped.
No it doesn't, not unless you have filtering rules to do that. All nat does is translate outbound packets, remebers state of connections, and translates certain incoming packets back. All NAT can do is translate or not translate. It doesn't drop or forward.
My NAT router (Linksys WRT54G) does not accept any incoming connections by default. It has "Firewall" mode turned on by default. If you turn that off, it won't filter incoming connections, but there won't be anything to connect to!
I don't follow why won't there be anything to connect to if you merely disable filtering?
Even Windows XP SP2 does this; the firewall is turned on by default, and if you enable Internet Connection Sharing, the firewall is *still* turned on, blocking all incoming connections.
Ok, yes, the firewall is blocking all incoming connections, not NAT. What's your point?
No matter what you do, except for those strange cases where the router automatically forwards everything to another host, the most anyone from the ouside network can connect to is the router itself.
That's because the *firewall* has been turned on by default on that particular device, that is completely independant of NAT. I can have a firewall without NAT, and I can have NAT without a firewall.
A NAT router will accept all inward connections by default, unless you tell it to do otherwise with filter rules. Try it sometime. Find me one implementation of NAT that drops anything.
Most people, who enjoy semi-anon IP addresses from defacto forced reissue taht I know are against IPv6 and see it for all its regretful faults, despite its wonderful goals and alleged benefits.
In an IPv6 world... there will be no more anononymity except at a WiFi cafe lacking video cameras.
What are these anonymous IP addresses you speak of? What about IPv6 makes the addresses less anonymous than IPv4?
though the security aspect that NAT provides really is useful.
NAT doesn't have a security aspect. It just rewrites the addresses and ports on outbound packets and keeps track of them to rewrite the corresponding replies. If you don't have filter rules to back it up then any traffic can just flow right into your network. NAT doesn't cause packets to be dropped.
And then you find out that company with 3000 machines to RDP into is using just about half of RFC1918 space and happens to be using the same portion of it that you are... doh!
I have numerous pressed audio CDs 7 years old that now have gaps in the sound every fraction of a second half the disc through. I have data CDrs which just became completely unreadable for no apparent reason after 5 years.
When it comes to tapes... well, just last year I had to pull some data off of a 15 year old tandberg cartridge originally written to by some obsolete unix system. I took the equally old SCSI tape drive out of that system, plugged it into a modern linux system, and read the data (tar format) perfectly. And I occasionally deal with 5-10 year old cheap junk travan cartridges, never had a problem with those either.
since when is tape archival quality? It's barely backup quality. I've had way more properly stored tapes fail than I have properly stored optical media.
Have you had more *entire tapes* fail than entire CDs? Probably not. The thing about tapes is that they are more failure tolerant than CDs/DVDs. A part of the tape can go bad and your chances of reading the rest of your data are pretty good compared to optical media.
Basically they said what the Conservatives would normally say, the states have the power.
Then why don't the states have the right to control their own drug policy? Why was pot grown in a private home by a sick lady for her own consumption deemed interstate commerce?
The conservatives don't "normally" believe in state's rights, they only believe in it when it suits their ulterior motives.
And just because some people can do it in moderation doesn't mean the majority would use a substance safely, in terms of puting themselves and/or others in danger.
Ok, so if someone on drugs puts someone in danger, just do the same thing we do to anyone else who puts someone in danger. The drugs are completely irrelevant.
If this virus was running with enough priveledges to modify system DLLs like that one, then there's not much any virus scanner can do about it. If it had the ability to modify that DLL, it could have just as easily modified any other DLLs that any other virus scanner depends upon.
Re:Intel, it doesn't matter.
on
Intel Claims No DRM
·
· Score: 2, Insightful
I would rather have my rights protected, and have value to the product that i purchased, than a bunch of theives to copy it to the extent it has no value what so ever.
And I would rather have MY rights protected and have the value to the product that I purchased than have a bunch of corporate media congomerates siezing control of MY private property.
So long as I am the one buying and owning MY computer I am only interested in my computer serving my own interests and managing MY digital rights.
If people are violating the RIAA's copyrights, that is entirely the RIAA's problem. I am interested in looking out for my rights, not theirs. You should be also, because I assure you they are not. These people already have enough lawyers, lobbysists and corrupt politicians looking after their rights. If they are going to steal the rights to your own private property, they are most likely not counting on your help in doing it.
Read the following quotes, and ask yourself, if this were the information you had, wouldn't you consider Iraq to be a clear and present danger? If we can't trust the assertions of our Democratic leaders, who can we trust?
Bush had a lot more information than random quotes from other politicians. Some of it was actually true. However, that was brushed aside as it was not conducive to the long-established PNAC agenda of American dominance in the middle east.
And for that matter, no, I don't trust our democratic "leaders" either, frankly. I don't trust government in general (any more than I have to). Clinton had his own set of problems. If it were him leading us into this bullshit war today, I wouldn't approve of it then either.
its your logic.. you used the fact that there "are plenty of places in the world where those things are happening" to dispute the fact that we went to war for that reason.
Yes - that is exactly what I did - disputed the stated reasons for entering a war. I did not at all say human rights abuses & terrorist training camps were "a-ok everywhere".
The WMD threat may have been based on fualty intelligence, but I'm definately not losing any sleep over Hussein losing power in Iraq.
Are you loosing any sleep over the fact that the president of the most powerful country in the world told a blatant lie to start a war - and got re-elected?
Hind-sight is 20-20.. I can understand if someone was looking at the intel reports, and thought 'if there is even a slim chance he could be acquiring WMDs, we need to prevent him from doing so at any cost'.
Except "a slim chance he could be acquiring WMDs" is not at all what was going through their mind. What was going through their mind was that he had hundreds of tons of checical weapons and mobile factories for making bio weapons... you know, all the stuff Colin Powell presented to the UN security council before the war.
Hussein was a nut and a dictactor.. if you dont think so, I suggest you take off your rose-colored glasses.
No, I agree. The thing is Bush is a quite a nut himself, and as a US citizen that is more concerning to me than Hussein ever was.
Lucas has stated (and it's been in the books) that Anakin lost some of his dark-side abilities when he became Vader, such as his ability to "stop" or collect force lightning (because his arms are both fake.)
Then how does he use his hands to choke with the force? Or his fingers to flip the switch on the carbon feezing chamber from a distance?
[1] But plenty of human rights abuses, terrorist training camps, and other good reasons to eliminate the Hussein regime.
Please. There are plenty of places in the world where those things are happening, including present day Iraq & Afghanistan. Those weren't the real reasons behind the war, they were coincidental and made for good spin.
If people continue to want security in an IPv6 world, then firewalling will still be required at the edge of such private networks. The private nets won't have private addressing any more, so rules will be required to filter access to/from those assigned v6 addresses.
They already do filter access to/from existing addresses, and in fact the rules to do the filtering are no different at all on most firewalls. Not many people use NAT without filtering.
So if you've still got your firewall at the edge of your private network, why not continue to NAT at the same time?
NAT is a kludge to work around the scarcity (real or perceived) of IPv4 addresses. It does nothing for security and only adds complexity. The question isn't why continue using nat, the quesiton is why on earth would you use NAT if you had enough addresses not to need it.
I have a huge (10.0.0.0/8) LAN, all to myself. I've used maybe 20 of those addresses. I don't care if the hosts are internet addressable, because they are firewalled anyway. Skype works fine. BitTorrent works fine. What problem does IPv6 solve?
Well, not everyone's needs consist of running BitTorrent Skype on their little home network. When you have a bunch of servers that do a lot of talking with the outside world, have VPNs with 40 other organizations and need globally unique addresses, or if you just would like your network and DNS to be clean and simple by having one globally unique network prefix, IPv6 solves a lot of problems.
What confusion? NAT or no NAT, you don't want incoming connections routed to a bunch of different addresses on your network.
The confusion is that a lot of people think NAT is what is causing their network to be secure. It is not. The firewall is. You can take away the NAT and leave the firewall and your network will be just as secure.
And your point is...? NAT may not be a proper firewall but for most uses it's a good enough security measure. Which is why I'm saying we shouldn't discard it.
No, actually it is not good enough because nat doesn't actually drop any packets, it just rewrites some fields in the packet headers. That's why practically every firewall sold today does filtering in addition to NAT. Taking away the NAT and leaving the firewall will not degrade security one bit.
Slashdot Mirror
Yes, actually I can. What I'd first have to do is figure out your public IP address, then I'd attempt to compromise another machine within one hop of your own. If I do that, I set up a route to 10.0.0.31/32 gatewayed to your public IP address, and voila, I'm in. I don't have to compromise your NAT router at all, I only need to compromise a machine within one hop of it.
A lot of broadband connections nowadays basically put all subsribers in a particular area in one big virtual ethernet... so in cases like that there may be quite a few options for someone to get into your network if you aren't doing filtering along with your NAT.
No it doesn't, not unless you have filtering rules to do that. All nat does is translate outbound packets, remebers state of connections, and translates certain incoming packets back. All NAT can do is translate or not translate. It doesn't drop or forward.
I don't follow why won't there be anything to connect to if you merely disable filtering?
Ok, yes, the firewall is blocking all incoming connections, not NAT. What's your point?
That's because the *firewall* has been turned on by default on that particular device, that is completely independant of NAT. I can have a firewall without NAT, and I can have NAT without a firewall.
A NAT router will accept all inward connections by default, unless you tell it to do otherwise with filter rules. Try it sometime. Find me one implementation of NAT that drops anything.
What are these anonymous IP addresses you speak of? What about IPv6 makes the addresses less anonymous than IPv4?
NAT doesn't have a security aspect. It just rewrites the addresses and ports on outbound packets and keeps track of them to rewrite the corresponding replies. If you don't have filter rules to back it up then any traffic can just flow right into your network. NAT doesn't cause packets to be dropped.
And then you find out that company with 3000 machines to RDP into is using just about half of RFC1918 space and happens to be using the same portion of it that you are... doh!
Well, my experience is completely the opposite.
I have numerous pressed audio CDs 7 years old that now have gaps in the sound every fraction of a second half the disc through. I have data CDrs which just became completely unreadable for no apparent reason after 5 years.
When it comes to tapes... well, just last year I had to pull some data off of a 15 year old tandberg cartridge originally written to by some obsolete unix system. I took the equally old SCSI tape drive out of that system, plugged it into a modern linux system, and read the data (tar format) perfectly. And I occasionally deal with 5-10 year old cheap junk travan cartridges, never had a problem with those either.
Have you had more *entire tapes* fail than entire CDs? Probably not. The thing about tapes is that they are more failure tolerant than CDs/DVDs. A part of the tape can go bad and your chances of reading the rest of your data are pretty good compared to optical media.
Then why don't the states have the right to control their own drug policy? Why was pot grown in a private home by a sick lady for her own consumption deemed interstate commerce?
The conservatives don't "normally" believe in state's rights, they only believe in it when it suits their ulterior motives.
Ok, so if someone on drugs puts someone in danger, just do the same thing we do to anyone else who puts someone in danger. The drugs are completely irrelevant.
Laws against eavesdropping does not give us privacy. Encryption can, but laws don't make your conversations private.
No, iSeries is the former AS/400.
How are nightclub owners making profits feeding people's addictions?
If this virus was running with enough priveledges to modify system DLLs like that one, then there's not much any virus scanner can do about it. If it had the ability to modify that DLL, it could have just as easily modified any other DLLs that any other virus scanner depends upon.
And I would rather have MY rights protected and have the value to the product that I purchased than have a bunch of corporate media congomerates siezing control of MY private property.
So long as I am the one buying and owning MY computer I am only interested in my computer serving my own interests and managing MY digital rights.
If people are violating the RIAA's copyrights, that is entirely the RIAA's problem. I am interested in looking out for my rights, not theirs. You should be also, because I assure you they are not. These people already have enough lawyers, lobbysists and corrupt politicians looking after their rights. If they are going to steal the rights to your own private property, they are most likely not counting on your help in doing it.
Bush had a lot more information than random quotes from other politicians. Some of it was actually true. However, that was brushed aside as it was not conducive to the long-established PNAC agenda of American dominance in the middle east.
And for that matter, no, I don't trust our democratic "leaders" either, frankly. I don't trust government in general (any more than I have to). Clinton had his own set of problems. If it were him leading us into this bullshit war today, I wouldn't approve of it then either.
Yes - that is exactly what I did - disputed the stated reasons for entering a war. I did not at all say human rights abuses & terrorist training camps were "a-ok everywhere".
Are you loosing any sleep over the fact that the president of the most powerful country in the world told a blatant lie to start a war - and got re-elected?
Except "a slim chance he could be acquiring WMDs" is not at all what was going through their mind. What was going through their mind was that he had hundreds of tons of checical weapons and mobile factories for making bio weapons... you know, all the stuff Colin Powell presented to the UN security council before the war.
No, I agree. The thing is Bush is a quite a nut himself, and as a US citizen that is more concerning to me than Hussein ever was.
Then how does he use his hands to choke with the force? Or his fingers to flip the switch on the carbon feezing chamber from a distance?
Who's logic is that? I never said those things are ok everywhere.
Clear and present danger... didn't you hear the news? Not even Bush believes there are WMDs in iraq anymore.
Please. There are plenty of places in the world where those things are happening, including present day Iraq & Afghanistan. Those weren't the real reasons behind the war, they were coincidental and made for good spin.
They already do filter access to/from existing addresses, and in fact the rules to do the filtering are no different at all on most firewalls. Not many people use NAT without filtering.
NAT is a kludge to work around the scarcity (real or perceived) of IPv4 addresses. It does nothing for security and only adds complexity. The question isn't why continue using nat, the quesiton is why on earth would you use NAT if you had enough addresses not to need it.
Well, not everyone's needs consist of running BitTorrent Skype on their little home network. When you have a bunch of servers that do a lot of talking with the outside world, have VPNs with 40 other organizations and need globally unique addresses, or if you just would like your network and DNS to be clean and simple by having one globally unique network prefix, IPv6 solves a lot of problems.
The confusion is that a lot of people think NAT is what is causing their network to be secure. It is not. The firewall is. You can take away the NAT and leave the firewall and your network will be just as secure.
No, actually it is not good enough because nat doesn't actually drop any packets, it just rewrites some fields in the packet headers. That's why practically every firewall sold today does filtering in addition to NAT. Taking away the NAT and leaving the firewall will not degrade security one bit.