From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5BE95198005 for ; Sun, 10 Mar 2013 21:07:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 533AFE073E; Sun, 10 Mar 2013 21:07:37 +0000 (UTC) Received: from mail-ia0-f177.google.com (mail-ia0-f177.google.com [209.85.210.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 94204E0720 for ; Sun, 10 Mar 2013 21:07:35 +0000 (UTC) Received: by mail-ia0-f177.google.com with SMTP id y25so3043853iay.36 for ; Sun, 10 Mar 2013 14:07:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; bh=DzN10ScafBOI9+3haAiPgXVn42245Cr9Tznj/O08fb8=; b=ifuRy7yVFc8tzxyg3ghnP4nU9Df9P6FaewLkOXkG+BWpeqPpVRMJ4ImNLWL/NT0XXU RlHRvWo4hL4UYiB2BoMSEeDhoiuwycRCKj76n8csgjp/Dp3Ow99QAKbeN8plAxbD+nvn RMNx2hUBFJI9n9qGqOdJvJsB+HyRT3UBF205nxcRfd6jkZ9CPydJXYJRyeTW2HHyGoK7 RfM3FLH29ujQntVAexy0IVSLAhM/i73D8cx6iKFkGAb8aNfcerYnL+z19BNNbjeXz3su w4UVZI/kKSaUkt+iAX+AN8FF9iBJR22Ifg+2Zd2lE6QGvRLK4geY02bLiGmIf30A8D2e JGtg== X-Received: by 10.50.17.71 with SMTP id m7mr4519131igd.14.1362949654515; Sun, 10 Mar 2013 14:07:34 -0700 (PDT) Received: from ?IPv6:2001:5c0:1400:a::1b9? ([2001:5c0:1400:a::1b9]) by mx.google.com with ESMTPS id xe9sm9097287igb.7.2013.03.10.14.07.32 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 10 Mar 2013 14:07:33 -0700 (PDT) Message-ID: <513CF60D.7060708@gmail.com> Date: Sun, 10 Mar 2013 17:07:25 -0400 From: Michael Mol User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130222 Thunderbird/17.0.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [Bulk] Re: [gentoo-user] /etc/hosts include file? References: <51391398.1030100@gmail.com> <513930FF.6030003@gmail.com> <5139A21E.8060201@gmail.com> <5139EA4D.1000606@gmail.com> <5139ED7C.3030708@gmail.com> <263693.5416.bm@smtp197.mail.ir2.yahoo.com> <513A423D.3080900@gmail.com> <293639.72773.bm@smtp143.mail.ird.yahoo.com> <20130309001343.GB25016@waltdnes.org> <513A8529.7000708@gmail.com> <20130310014256.GA27509@waltdnes.org> <513C17D2.7080008@gmail.com> In-Reply-To: <513C17D2.7080008@gmail.com> X-Enigmail-Version: 1.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2PEGBGGXAWNWGORWJRRNT" X-Archives-Salt: d81b4bb5-5d6e-4e46-8321-66544122aaa8 X-Archives-Hash: 0513306d8591ee86b423f347e5e4bbb6 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2PEGBGGXAWNWGORWJRRNT Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 03/10/2013 12:19 AM, Alan McKinnon wrote: > On 10/03/2013 03:42, Walter Dnes wrote: >> On Fri, Mar 08, 2013 at 07:41:13PM -0500, Michael Mol wrote >>=20 >>> The trouble with NAT is that it destroys peer-to-peer protocols. >>> The first was FTP in Active mode. >>=20 >> In its day, it was OK. Nowadays, we use passive mode. What's the=20 >> problem? >>=20 >>> SIP has been heavily damaged as well. Anyone who's used IRC is=20 >>> familiar with the problems NAT introduces to DCC. >>=20 >> Every ADSL router-modem I've run into recently has >> port-forwarding. >>=20 >>> Anyone who's ever played video games online,... >>=20 >> A *CLIENT* that can't operate from behind NAT is totally >> brain-dead. >>=20 >>> or who's tried hosting a Teamspeak or Ventrillo server, has had >>> NAT get in their way as well. >>=20 >> Port-forwarding. >=20 >=20 > All those examples you give are much like a bunch of home machines=20 > sitting behind a NAT gateway onto the internet. That's actually OK > and I reckon that is the intended use of NAT. I want to point out that that's only true if the home network has at least one public IP. If you've got NAT 4x4, you're kinda screwed. (Alan will understand that, but for those unfamiliar with it, that basically means that if your home router is given an RFC1918 address by your ISP, port forwarding isn't going to do squat for you.) I've got a friend in a rural area who can't get a publicly-routable address. To access his home network from work, he rents a VPS and sets up a static tunnel. Such are the evils of NAT. > Personally, I'd prefer all of my machines to have a public address > but there's no chance in hell my NetOps colleagues are giving me that > with my DSL connection. Well, with IPv6, they're supposed to. ^^ >=20 > We have any years of experience now with consumer connections and > the users that use them, these guys mostly can't admin a machine to > save their lives, so NAT in their case is a good thing on balance. There's nothing NAT really offers them that having a default simple firewall on their network gateway wouldn't solve. If inbound traffic is part of an established or related connection, accept it. Otherwise, reject it by default. That's all the security benefit NAT accomplishes, albeit without mangling any packets. >=20 > The true evil of NAT comes about when some clown starts implementing > it on the network itself. I'm in city X, we have a large office in > city Y, and most of the traffic Y->X goes through a *router* doing > NAT. No-one knows anymore why this was originally done but we all > know what it will take to undo it. To get our backend systems to work > for client in city Y I have to put in the cursed "any any" firewall > rules, and that sends our Risk fellows ballistic for good reason. But > I have no choice, the network design essentially discarded all > information as to who the client is, so now I must allow all of > them. >=20 > Any real-life network that grew organically over several years is > always going to be rife with examples of fuck ups like this, always > done in the name of expediency. I have lots of such examples, the > above is only the first that came to mind. >=20 > So whereas NAT behind a home router for IPv4 is good, in almost > every other usage I've seen it is bad and really just a case of a > solution used in places it never ever belonged. NAT behind a home router is bad, too. For IPv4, it's only necessary because there aren't enough IPv4 addresses to let everyone have a unique one. (It's unfortunate we never got DHCP-PD for IPv4; that would solve a number of problems I've seen and foresee with small-business IPv4 networks both pre- and post-crunch.) ------enig2PEGBGGXAWNWGORWJRRNT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRPPYSAAoJED5TcEBdxYwQ2pcH/2HL07IklyukezdsAk4liX8F M7IB9sN/S2NsysdgkzyPdKmGEKobVE6X6vfTuc1e/FJxBCeMp1sMltBN6yoKL4rh +8Pp9cntXdBm2r9dVc81T0sw7gNXaM1JGIDtIYPmoPZVOdfPSLkd+Vxa68S1frIr NvuXTCvtITeZC6XkErCpfirqEWGY0O6Fr06BBhXoqeBVMU1oW0PxLcY/GPaQQW2R Zzq4SEUQFbwQeDnYY5vxzEaoMFZ4ScKxGsasGELXPch6cpJO6D1kRMxhPzPEHQh3 C8Fk1sHYDPx0wITXgxRo72w4EW5ccCBKvmfN1sMIlytKs6fw0VWHtsex5voDIkc= =KSX+ -----END PGP SIGNATURE----- ------enig2PEGBGGXAWNWGORWJRRNT--