Perhaps because the specific chemicals found could easily be used to make chemical weapons on the spot.
Easily used to make chemical weapons on the spot? How easy? references?
So maybe it's not a stockpile of hundreds of tons of clearly-labeled WMD's... but in a country that had a decade of experience in hiding things, is that a realistic expectation anyway?
Well it sure was a realistic expectation before the war. I don't expect the Bush administration to perform miracles - just deliver on what they themselves said.
Let's be realistic what most people install at home is a router providing NAT and not a firewall.
Evidence to support this claim? Most consumer broadband embedded routers do firewalling as well as NAT.
The reality is that this DOES effectively filter a lot of traffic because the router is rarely configured by default to forward ports directly to a machine on the LAN.
Did you read any of the other messages in this thread? I have already explained it quite clearly: NAT does NOT filter anything. The standards don't specifcy that it does and I don't know of any implementation that does. I have given examples of how to go straight through a router that is only doing NAT and not filtering. Port forwarding has nothing to do with it because outsiders can esablish routes to your internal network which does not depend on NAT or port forwarding or anything. Again, read the other messages in this thread, I explained it several times as did several other people.
If we switch to IP6 and don't use NAT this will mean installing firewalls becomes more important.
Firewalls already are very important. Practicaly everyone is using them already.
The Commandment is not "thou shalt not kill". It is "thou shalt do no murder".
And how would you define 'murder'?
Re:Nice flamebait re: GWB
on
The Jobs Crunch
·
· Score: 3, Interesting
No WMD were ever found.
They did find a few old warheads, some filled with sarin that was from their war with Iran. They also found a bunch of pesticide or herbicide, which for whatever reason was believed to be WMD related.
Certainly not the "stockpile" or hundreds of tons worth that we were promised.
Why not try following the law instead of being a vigilante. Your actions end up costing us more in the end than anything.
And put the blacks back in labor camps. And eliminate womens' right to vote. All those protests, all that labor that needed to be paid for, all those changes to the laws cost us more in the end than anything.
The war on drugs would be significantly cheaper if there weren't so many drug-using idiots.
The war on drugs would be significantly cheaper if there were no idiots who wish law enforcement to impose their personal opinions about what people can put into their own damn bodies on everyone else.
No - just using the "private" addresses in itself reduces external access:
I'll concede that it reduces the ease of outside access somewhat. But noone (including you) seems to believe that that is sufficient security.
I think you misunderstood what I meant when I said "they believe NAT alone is giving them security". I meant that some people believe that it is NAT itself which provides their network with all of its security. They believe that if you take NAT out of a properly configured router doing NAT and firewalling and everything, that they will be insecure. That's not true. They will be just as secure without the NAT.
Correct. It wasn't pre-built, but when I wanted "a NAT setup", filtering was a natural part of using private IP addresses. You agree, I think, with my position that such filtering is part of a correct NAT-based connection such as mine, which was my original premise and the basis for the other posters' "NAT blocks external connections" assumption?
Yes, I agree that filtering is the logical thing to have in this setup.
My original point was that filtering and NAT are separate things, and filtering is what is providing you with real security, not NAT. So in that case, you can take away the NAT, leave the filtering, and not be worried about security. That would also be the logical thing to do when moving to IPv6 - ditch NAT, use filtering.
But given the logical assumption that you'd have filtering in place with or without NAT, people still said NAT is giving them security ("NAT blocks external connections"). That implies that they believe NAT alone is giving them security, which is wrong.
If you have a good firewall now, you have absolutely nothing to fear by ditching NAT but leaving that firewall as you would do in an IPv6 move.
You are still using the state-keeping of NAT to actually decide what to pass and what not, which in most cases requires no user configuration and is transparant.
Most modern firewalls are stateful, that is the firewall itself maintains state. I've set up a number of firewalls which are stateful but don't do any NAT.
I suppose the NAT state data and the firewall state data could be one in the same if both NAT and a stateful firewall are used to avoid redudancy, but they don't have to be.
Question remains if it is a problem that isn't already sufficiently solved for the end user (abeit in a technically uggly way)
Well, some end users might benefit a little by the QoS features of ipv6 (voip and video), or being able to entier 'mycomputer.company.com' instead of memorizing a port number for remote acecess applications.
But if manufacturers start building in IPv6 support (many already have), then there will at least come a point when a change to ipv6 can be made without users having to buy all new equipment.
So I want the LAN to be safe; then I have to have an IPv6 firewall anyway, so what's the difference to me if I have to do the same hole in the firewall as I would do in a NAT box?
None whatsoever. You'd still have the same firewall rules either way. The only difference is the presence of NAT.
But that was my point: There's nothing to fear in having routable addresses for everything. You have a firewall either way, so your stuff isn't any more exposed to hackers with IPv6.
NAT (as most commonly used today) is just a hack which complicates things.
No, to the outside world it appears to be a single host, with a single IP address, sending and receiving packets like any other host. The machines "behind" it are invisible to the outside world. It does not act like a router to Slashdot, it acts like a host.
Ok, to slashdot it appears as a host in the sense that packets are addressed directly to it. But it is also a router in the sense that it is fully performing regular routing duties beneath the NAT. Once NAT de-mangles the packet, it gets handed off to the operating system's routing mechanism for regular processing.
And the key in my original statement was that if nat doesn't translate a particular packet, that doesn't mean it gets dropped. NAT could just not touch the packet and it will still be handled as usual. And that is exactly what is going on when I gave that example of setting up a linux machine as a router with NAT only and no filtering, and the internal network was fully accessible by the outside once proper routes were set up on the outside.
True in a sense - but nor does it do NAT unless set up to do so. IMO, when NATting RFC1918 addresses in one direction, blocking them in the other direction also makes sense: the whole point there is to separate the private network from the general Internet.
Yes. The filtering makes sense when doing NAT, but they are two separate things. NAT does not imply any kind of filtering. That's the whole point of this thread. You can take away the NAT, leave the same filtering, and your security will be no different.
There have been previous discussions here about randomizing the various parameters (as OpenBSD can) to make the illusion of a single host more convincing to your ISP; to then allow inbound connections to RFC1918 addresses would rather defeat the purpose:-)
Yes, again, the filtering definitely makes sense with the NAT, but NAT doesn't imply filtering.
It's certainly possible to set up a router to do that, and useful in some scenarios (as is the reverse; Slashdot itself is behind a load balancer which should do something similar) - but for the typical home use of NAT (putting machines on RFC1918 addresses, then mangling packets so the outside world sees only the single IP address their ISP provides, allowing inbound connections like that is bad.
Well at this point I'm not sure where this discussion is heading.
You seem to agree that NAT and filtering are two different things and one can be used without the other. Now if you agree that NAT alone does not provide sufficient security while filtering does, well that was my whole point.
Every time IPv6 is discussed, a bunch of people talk about how afraid they are because NAT Will be unneccessary and they think their network will be less secure without NAT.
Any my original point is that NAT isn't what's giving you security, filtering is. The two can be separated, and if you do separate them and keep the filtering while ditching NAT (in favor or routable addresses) you still have the same security.
I know my OpenBSD firewall did block any such attempt, as its replacement appears to do.
You almost certainly had and have filtering rules in addition to the NAT. I can't imagine any kind of documentation or pre-built firewall setup scripts having you to not do the filtering too.
If the router fails to filter such packets (or rather, it chooses to route them) then yes, you can get through. This would seem unlikely - apart from anything else, that shouldn't be a normal "router" on 172.30.0.2. My own NAT system, for example, doesn't act like a router at all to the outside world: any packet it gets that isn't aimed at its own IP is just dropped.
There's no such thing as a router that acts like a router to one network and doesn't act like a router to another network. A router has to route legitimate packets going in either direction or it wouldn't be a very useful router. Your router acts a router to you just as much as it acts like a router to slashdot.
Now your router may pick and choose what packets it wants to pass and what it wants to drop. This is packet filtering, and is distinct from routing and NAT. A router does not drop anything unless you set up packet filtering to make it do so.
A router without packet filtering is in no way not a "normal router". Most backbone routers do not do any kind of filtering. In fact, in my experience tier-1 ISPs are quite reluctant to do any kind of filtering for you (to say, stop a DOS attack) because applying filters to their routers increases their CPU load.
Apart from anything else, the NAT router's configuration shouldn't let packets with RFC1918 source addresses leave the network - so if you try opening a connection to a machine behind such a gateway, your SYN packet will arrive - but the SYN|ACK reply won't make it back to you, hence no connection.
Au contrare. In one of my other NAT discussions I actually set up a router to do only NAT. Inbound connections worked fine. Those connections were not the type of thing that we wanted NATed (only outbound connections) so NAT didn't pay any attention to it. Lacking any filtering rules, the connection just went right through.
Your neighbors can route the non-routable addresses to your IP, but as I said before, if you drop source routed frames then that won't be an issue.
I'm not talking about source routing. I'm talking about plain old vanilla routing.
You've got two machines on one big network which from our perspective is an ethernet. Perhaps the underlying stuff is the cable cloud in your part of town.
One machine on this network is a router with public IP 172.30.0.2, not filtering anything. Behind this router is 10.0.0.0/24.
On another machine on this big network you type 'route add -net 10.0.0.0/24 gw 172.30.0.2'. Also on this machine you then type 'ping 10.0.0.1' and notice the reply.
Anything that does not match either is not translated and not forwarded.
You're right up until that point.
If an coming packet doesn't belong to something in the NAT state table, that doesn't mean it won't be forwarded. That only means it won't be NATed. In that case, it will follow the regular forwarding proceedures. If you have NAT and IP forwarding and nothing else, that means the packet gets routed straight through as normal. It doesn't get translated or anything else.
Go ahead and grep the RFCs for "drop", "reject", "block"... you will find nothing pertinent.
In the thread I mentioned in my earlier post (or somewhere in that story), I posted an example using iptables. Turn on forwarding, flush everything, and then do 'iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE'. That'll give you a perfectly working NAT router. And everything that comes in on the outside will pass straight through. Believe me, I tried it. Or don't believe me - go ahead and try it yourself.
Also one of the replies in prior mentioned threads claims that you'll get the same results after doing similar configuration on any Cisco box.
You could go on testing other firewall and NAT implementations, but I'm pretty sure you'll get the same results. You should since that's what the RFCs say.
So, what is said here is that you can do the exact same filtering without nat. That is absolutely true, but in no way says that NAT is NOT doing that, in fact it says you do the same but without the need for NAT.
Again, you need to read further. I and other people in that thread gave specific examples of how NAT isn't sufficient.
But what all these arguments boil down to is believing that NAT causes the router to drop all inbound packets that don't belong to something in the NAT table, and no such function is found in any of the RFCs or either Linux's or Cisco's implementations at least.
The other assumption is that your block of non-routable addresses will be always unroutable to people on the far side of your firewall. That isn't a good assumption to make as I just explained to another responder.
or they will be trying to access your internal IP which is not routable,
You are assuming that your internal addresses will always be unroutable on the outside of your firewall. That is an unwise assumption to make.
For example, on most broadband internet connections, all subscribers in the same area work as if they're all on one big logical ethernet and IP network. It is trivial for any of the other people on this logical network to add a route to my internal prefix via my external address. My neighbors may not want to hack my stuff, but I can't stop them from running an unpatched windows machine that will be easily exploitable by someone trying to get to me.
Furthermore, my ISP could make my internal addresses routable quite easily if they or someone exploiting their systems wanted to.
Even if the above is unlikely or difficult in your particular situation, you don't want to put the security of your network in the hands of your neighbors or your ISP. You want it entirely in your hands and under your control. That's why you have a firewall of your own.
Well, unless you configure it otherwise, it does in fact filter any connections comming from the outside.
No, in fact it does not, I assure you. Read RFCs 1631 and 2663. Specificly, read section 9 of RFC 2663 which instructs you to use a firewall to filter out bad stuff.
And once you've read that, read this thread for more information and specific examples of how and why NAT won't filter anything.
If that still doesn't convince you, look at other posts in the above mentioned slashdot story, or any IPv6 story on slashdot for that matter where people whine about how NAT gives them nice security, and you'll find a bunch of posts demonstrating that they are 100% wrong.
And if you still aren't convinced, then go ahead and debate this with me. I've been through this NAT FUD so many times I don't even need to look through the RFCs to tell you what sections to read.
I really suggest you go take a peek at the quality of state-keeping in the majority of consumer grade firewall packages
And in that case I really suggest that users of those firewalls use something else, because NAT isn't solving their problem.
A router that does NAT happens to function as a pretty good ip filter with state-keeping that is extremely easy to configure.
NAT does not filter anything. A firewall does. You probably already have a firewall, so taking away the NAT would not change the security of your network one bit.
I have a bunch of computers here, and any of them can access Internet if I so allow, but there is absolutely no need for an external host to access any of those internal computers.
You never want to SSH into any of your computers, or use remote GUI access programs? Host game servers? Maybe a little web server of file server?
So why should I expose my stuff to hackers?
You woundn't be exposing your stuff to hackers with real addresses any more than you would with private NATed ones. You have a firewall, don't you? Well just take away the NAT, leave the firewall. Your firewall's setup would be almost identical.
In fact, I know of several people implementing n-tier applications with PHP on the front, Python in the middle and PostgreSQL in the back with much success.
How do they do to make the PHP front talk to the Python middle layer?
I love python and I've been trying to use Python in the front too which it isn't too good at. PHP+Python sounds interesting.
Lose your copy? Just redownload it. You can start playing as soon as the first level is downloaded, and on increasingly fast connections the download time won't be an issue. For 56kers, you can always get the CD. But as a Cable user I find Steam easier.
What happens if Valve goes out of business, or just doesn't feel like paying for the infrastructure to support steam anymore?
Slashdot Mirror
So marijuana doesn't kill.... driving while high did.
Easily used to make chemical weapons on the spot? How easy? references?
Well it sure was a realistic expectation before the war. I don't expect the Bush administration to perform miracles - just deliver on what they themselves said.
Evidence to support this claim? Most consumer broadband embedded routers do firewalling as well as NAT.
Did you read any of the other messages in this thread? I have already explained it quite clearly: NAT does NOT filter anything. The standards don't specifcy that it does and I don't know of any implementation that does. I have given examples of how to go straight through a router that is only doing NAT and not filtering. Port forwarding has nothing to do with it because outsiders can esablish routes to your internal network which does not depend on NAT or port forwarding or anything. Again, read the other messages in this thread, I explained it several times as did several other people.
Firewalls already are very important. Practicaly everyone is using them already.
What/whose law would you say that refers to?
And how would you define 'murder'?
They did find a few old warheads, some filled with sarin that was from their war with Iran. They also found a bunch of pesticide or herbicide, which for whatever reason was believed to be WMD related.
Certainly not the "stockpile" or hundreds of tons worth that we were promised.
Right! Because the law is always right and moral.
And put the blacks back in labor camps. And eliminate womens' right to vote. All those protests, all that labor that needed to be paid for, all those changes to the laws cost us more in the end than anything.
The war on drugs would be significantly cheaper if there were no idiots who wish law enforcement to impose their personal opinions about what people can put into their own damn bodies on everyone else.
I'll concede that it reduces the ease of outside access somewhat. But noone (including you) seems to believe that that is sufficient security.
I think you misunderstood what I meant when I said "they believe NAT alone is giving them security". I meant that some people believe that it is NAT itself which provides their network with all of its security. They believe that if you take NAT out of a properly configured router doing NAT and firewalling and everything, that they will be insecure. That's not true. They will be just as secure without the NAT.
Well its not like one college course is going to take unethical people and make them ethical anyway.
Yes, I agree that filtering is the logical thing to have in this setup.
My original point was that filtering and NAT are separate things, and filtering is what is providing you with real security, not NAT. So in that case, you can take away the NAT, leave the filtering, and not be worried about security. That would also be the logical thing to do when moving to IPv6 - ditch NAT, use filtering.
But given the logical assumption that you'd have filtering in place with or without NAT, people still said NAT is giving them security ("NAT blocks external connections"). That implies that they believe NAT alone is giving them security, which is wrong.
If you have a good firewall now, you have absolutely nothing to fear by ditching NAT but leaving that firewall as you would do in an IPv6 move.
Most modern firewalls are stateful, that is the firewall itself maintains state. I've set up a number of firewalls which are stateful but don't do any NAT.
I suppose the NAT state data and the firewall state data could be one in the same if both NAT and a stateful firewall are used to avoid redudancy, but they don't have to be.
Well, some end users might benefit a little by the QoS features of ipv6 (voip and video), or being able to entier 'mycomputer.company.com' instead of memorizing a port number for remote acecess applications.
But if manufacturers start building in IPv6 support (many already have), then there will at least come a point when a change to ipv6 can be made without users having to buy all new equipment.
None whatsoever. You'd still have the same firewall rules either way. The only difference is the presence of NAT.
But that was my point: There's nothing to fear in having routable addresses for everything. You have a firewall either way, so your stuff isn't any more exposed to hackers with IPv6.
NAT (as most commonly used today) is just a hack which complicates things.
Ok, to slashdot it appears as a host in the sense that packets are addressed directly to it. But it is also a router in the sense that it is fully performing regular routing duties beneath the NAT. Once NAT de-mangles the packet, it gets handed off to the operating system's routing mechanism for regular processing.
And the key in my original statement was that if nat doesn't translate a particular packet, that doesn't mean it gets dropped. NAT could just not touch the packet and it will still be handled as usual. And that is exactly what is going on when I gave that example of setting up a linux machine as a router with NAT only and no filtering, and the internal network was fully accessible by the outside once proper routes were set up on the outside.
Yes. The filtering makes sense when doing NAT, but they are two separate things. NAT does not imply any kind of filtering. That's the whole point of this thread. You can take away the NAT, leave the same filtering, and your security will be no different.
Yes, again, the filtering definitely makes sense with the NAT, but NAT doesn't imply filtering.
Well at this point I'm not sure where this discussion is heading.
You seem to agree that NAT and filtering are two different things and one can be used without the other. Now if you agree that NAT alone does not provide sufficient security while filtering does, well that was my whole point.
Every time IPv6 is discussed, a bunch of people talk about how afraid they are because NAT Will be unneccessary and they think their network will be less secure without NAT.
Any my original point is that NAT isn't what's giving you security, filtering is. The two can be separated, and if you do separate them and keep the filtering while ditching NAT (in favor or routable addresses) you still have the same security.
You almost certainly had and have filtering rules in addition to the NAT. I can't imagine any kind of documentation or pre-built firewall setup scripts having you to not do the filtering too.
There's no such thing as a router that acts like a router to one network and doesn't act like a router to another network. A router has to route legitimate packets going in either direction or it wouldn't be a very useful router. Your router acts a router to you just as much as it acts like a router to slashdot.
Now your router may pick and choose what packets it wants to pass and what it wants to drop. This is packet filtering, and is distinct from routing and NAT. A router does not drop anything unless you set up packet filtering to make it do so.
A router without packet filtering is in no way not a "normal router". Most backbone routers do not do any kind of filtering. In fact, in my experience tier-1 ISPs are quite reluctant to do any kind of filtering for you (to say, stop a DOS attack) because applying filters to their routers increases their CPU load.
Au contrare. In one of my other NAT discussions I actually set up a router to do only NAT. Inbound connections worked fine. Those connections were not the type of thing that we wanted NATed (only outbound connections) so NAT didn't pay any attention to it. Lacking any filtering rules, the connection just went right through.
I'm not talking about source routing. I'm talking about plain old vanilla routing.
You've got two machines on one big network which from our perspective is an ethernet. Perhaps the underlying stuff is the cable cloud in your part of town.
One machine on this network is a router with public IP 172.30.0.2, not filtering anything. Behind this router is 10.0.0.0/24.
On another machine on this big network you type 'route add -net 10.0.0.0/24 gw 172.30.0.2'. Also on this machine you then type 'ping 10.0.0.1' and notice the reply.
No source routing involved here at all.
You're right up until that point.
If an coming packet doesn't belong to something in the NAT state table, that doesn't mean it won't be forwarded. That only means it won't be NATed. In that case, it will follow the regular forwarding proceedures. If you have NAT and IP forwarding and nothing else, that means the packet gets routed straight through as normal. It doesn't get translated or anything else.
Go ahead and grep the RFCs for "drop", "reject", "block"... you will find nothing pertinent.
In the thread I mentioned in my earlier post (or somewhere in that story), I posted an example using iptables. Turn on forwarding, flush everything, and then do 'iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE'. That'll give you a perfectly working NAT router. And everything that comes in on the outside will pass straight through. Believe me, I tried it. Or don't believe me - go ahead and try it yourself.
Also one of the replies in prior mentioned threads claims that you'll get the same results after doing similar configuration on any Cisco box.
You could go on testing other firewall and NAT implementations, but I'm pretty sure you'll get the same results. You should since that's what the RFCs say.
Again, you need to read further. I and other people in that thread gave specific examples of how NAT isn't sufficient.
But what all these arguments boil down to is believing that NAT causes the router to drop all inbound packets that don't belong to something in the NAT table, and no such function is found in any of the RFCs or either Linux's or Cisco's implementations at least.
The other assumption is that your block of non-routable addresses will be always unroutable to people on the far side of your firewall. That isn't a good assumption to make as I just explained to another responder.
You are assuming that your internal addresses will always be unroutable on the outside of your firewall. That is an unwise assumption to make.
For example, on most broadband internet connections, all subscribers in the same area work as if they're all on one big logical ethernet and IP network. It is trivial for any of the other people on this logical network to add a route to my internal prefix via my external address. My neighbors may not want to hack my stuff, but I can't stop them from running an unpatched windows machine that will be easily exploitable by someone trying to get to me.
Furthermore, my ISP could make my internal addresses routable quite easily if they or someone exploiting their systems wanted to.
Even if the above is unlikely or difficult in your particular situation, you don't want to put the security of your network in the hands of your neighbors or your ISP. You want it entirely in your hands and under your control. That's why you have a firewall of your own.
No, in fact it does not, I assure you. Read RFCs 1631 and 2663. Specificly, read section 9 of RFC 2663 which instructs you to use a firewall to filter out bad stuff.
And once you've read that, read this thread for more information and specific examples of how and why NAT won't filter anything.
If that still doesn't convince you, look at other posts in the above mentioned slashdot story, or any IPv6 story on slashdot for that matter where people whine about how NAT gives them nice security, and you'll find a bunch of posts demonstrating that they are 100% wrong.
And if you still aren't convinced, then go ahead and debate this with me. I've been through this NAT FUD so many times I don't even need to look through the RFCs to tell you what sections to read.
And in that case I really suggest that users of those firewalls use something else, because NAT isn't solving their problem.
NAT does not filter anything. A firewall does. You probably already have a firewall, so taking away the NAT would not change the security of your network one bit.
You never want to SSH into any of your computers, or use remote GUI access programs? Host game servers? Maybe a little web server of file server?
You woundn't be exposing your stuff to hackers with real addresses any more than you would with private NATed ones. You have a firewall, don't you? Well just take away the NAT, leave the firewall. Your firewall's setup would be almost identical.
How do they do to make the PHP front talk to the Python middle layer?
I love python and I've been trying to use Python in the front too which it isn't too good at. PHP+Python sounds interesting.
And not only that, but you can't play on the internet when in offline mode.
Offline mode just lets you play offline without logging into steam. That doesn't give you an installer or anything.
What happens if Valve goes out of business, or just doesn't feel like paying for the infrastructure to support steam anymore?