Home page logo
/

nanog logo nanog mailing list archives

RE: Where NAT disenfranchises the end-user ...
From: Roeland Meyer <rmeyer () mhsc com>
Date: Fri, 7 Sep 2001 11:58:08 -0700


|> From: Jim Shankland [mailto:nanog () shankland org]
|> Sent: Friday, September 07, 2001 11:33 AM

|> "Mike Batchelor" <mikebat () tmcs net> writes:
|> 
|> > Oh yes, the firewall.  That convenient device that network software
|> > developers can assume will always pass port 80 and 443 traffic.  So
|> > everything uses port 80 and 443 in the future Internet, 
|> and we're all the
|> > better for it.
|> 
|> Um, sure, but what are you arguing?  That firewalls are useless and
|> should all go away?  (Good luck.)  That firewalls don't 
|> really exist :-)?

Actually, for the ports that they have proxyd for, they don't. It's called
"transparency", one of those fundimentaly concepts. The ports that they
block, are supposed to be blocked, by design and not by accident. Firewalls
are deterministic, NAT boundaries aren't.

|> Maybe it would be useful to design a base protocol that would
|> provide a standardized method for things like passing an <address,
|> port> tuple, or registering a desire to receive packets on a
|> particular UDP port -- the kind of things that gamers, e.g., 
|> want, and
|> that are tricky to make work through a NAT.  Games, etc., could be
|> written on top of this base protocol, and NATs and firewalls could
|> be made to be aware of that protocol.  Just a thought; any
|> merit to it?

You've just described a NAT proxy daemon. I've spent years trying to write
one. If you are that good, send code. Or better yet, send it to
www.sourceforge.org. The fundimental reason that you can't write one is that
it requires a whole other protocol that 1) deosn't exist, 2)Isn't
implemented, 3)Violates more than one of Dykstra's laws.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]