--- S Mathias <smathias1972@yahoo.com> wrote:

> Are there any active project about it?
>
> like:
> http://www.camrdale.org/apt-p2p/
> for Debian.
>
> Why doesn't it have viability? Why does it have?
>
> What are the security issues regarding it?

So long as it is easily configurable for the user/admin
(many of my Gnome installations are in the office, and I
wouldn't want them all responding to p2p requests through
my network, for example) this would be a good idea.

A natural evolution of what happened with git...

-Iwao

--------------------------------------
Get the new Internet Explorer 8 optimized for Yahoo! JAPAN
http://pr.mail.yahoo.co.jp/ie8/
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

--- 夜神　岩男 <supergiantpotato@yahoo.co.jp> wrote:

> --- S Mathias <smathias1972@yahoo.com> wrote:
>
> > Are there any active project about it?
> >
> > like:
> > http://www.camrdale.org/apt-p2p/
> > for Debian.
> >
> > Why doesn't it have viability? Why does it have?
> >
> > What are the security issues regarding it?
>
> So long as it is easily configurable for the
> user/admin
> (many of my Gnome installations are in the office,
> and I
> wouldn't want them all responding to p2p requests
> through
> my network, for example) this would be a good idea.
>
> A natural evolution of what happened with git...
>
> -Iwao
>

I failed to remark that *forced* updates, of any kind, are
wrong. Just bad wrong. Always.

What I meant above was that a p2p storage and distribution
model makes good sense and should be explored. After all,
several of us have implemented local repositories to speed
things for similar reasons -- why not extend that speed to
the rest of the neighborhood (so to speak).

The activity of distributing package data can be separated
from the actual update action -- so there is no reason to
force updates. I can serve update package data I don't
have installed.

-Iwao

--------------------------------------
Get the new Internet Explorer 8 optimized for Yahoo! JAPAN
http://pr.mail.yahoo.co.jp/ie8/
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 12/27/2010 06:58 AM, Marko Vojinovic wrote:
> There was a quite large thread on the CentOS list recently about this.
>
> In a nutshell, the conclusion is that (1) is an urban legend --- NAT
*does*
> *not* (and moreover, *should* *not* ) shield your inside machines from
outside
> attacks. You still need to use the proper firewall for shielding.
>


Thank you for your thoughts ... it really is time for me to learn more!

Anyone having NAT has some kind of firewall - they go together
- even if its a linksys box. In my case my border firewall is quite
extensive ... with plenty of netblocks that are disallowed access to any
service whatsoever ...

I need to learn more about ip6 - but I assume nf_conntrack works the
same way in ip6tables, I suppose routing through (when allowed) versus
nat'ing through when allowed are not all that different but they are
different... are the security implications obvious ?

The firewall is still controlling what is allowed or not ... tho I am
sure my understanding of a DMZ needs updating for ip6 .. so much to
learn :-)

Any suggestions for good guides on ip6 - firewalling - DMZ's - and
transition management including setting up ip6-ip4 and ip4-ip6 gateways
as may be needed ?


> > at the price of breaking functionality.
Not sure what 'things' are really broken today in practice by nat -
certainly ftp is typically no longer used with separate incoming port
tho we do have ftp_conntrack just in case ...

Thanks again .. sharing knowledge is very helpful ... ip6 is coming
soon'ish and I def. need to prepare ...

gene
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Sun, 2010-12-26 at 17:11 -0500, Genes MailLists wrote:
> Historically, we used nat for 2 purposes:
>
> (1) to shield inside machines
> (2) free up ipv4 (was an accidental consequence of (1)

Actually IIRC you have that the wrong way round. NAT was invented to
deal with address space exhaustion, and had the side-effect of hiding
machines behind the router.

poc

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 12/27/2010 09:15 AM, Patrick O'Callaghan wrote:
> Actually IIRC you have that the wrong way round. NAT was invented to
> deal with address space exhaustion, and had the side-effect of hiding
> machines behind the router.

Before somebody steps in again to point out that NAT isn't a firewall,
I'd like to give my perspective on it. If your router uses NAT and only
forwards those ports you've told it to (and then, each port only goes to
one machine) port scanners can't find your machines because nothing
responds to their attempts to connect. And, of course, even if you have
malware trying to act as some sort of server it won't do any good unless
your machine initiates the connection. No, this isn't a firewall, but
it's better than having your box sitting on the net completely exposed.
Consider NAT as one layer of protection in a properly designed and
implemented defense in depth.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Once upon a time, Joe Zeff <joe@zeff.us> said:
> Before somebody steps in again to point out that NAT isn't a firewall,
> I'd like to give my perspective on it. If your router uses NAT and only
> forwards those ports you've told it to (and then, each port only goes to
> one machine) port scanners can't find your machines because nothing
> responds to their attempts to connect. And, of course, even if you have
> malware trying to act as some sort of server it won't do any good unless
> your machine initiates the connection. No, this isn't a firewall, but
> it's better than having your box sitting on the net completely exposed.
> Consider NAT as one layer of protection in a properly designed and
> implemented defense in depth.

NAT is a combination of a stateful firewall and a packet mangler (that
changes the IP+port fields). A stateful firewall without a packet
mangler (i.e. no NAT) is just as secure.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 12/27/2010 12:44 PM, Chris Adams wrote:
> implemented defense in depth.
>
> NAT is a combination of a stateful firewall and a packet mangler (that
> changes the IP+port fields). A stateful firewall without a packet
> mangler (i.e. no NAT) is just as secure.

probably - and yes if all is configured well - however, at first blush
it seems firewall misconfiguration (errors) could be less of an issue
with non-routable addresses - they have nowhere to go on the inside -
and since some of us have less experience with ip6 - this may be more of
an issue than with ip4 - I could be being naive here ...



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Mon, Dec 27, 2010 at 12:41 PM, Joe Zeff <joe@zeff.us> wrote:
> On 12/27/2010 09:15 AM, Patrick O'Callaghan wrote:
>>
>> Actually IIRC you have that the wrong way round. NAT was invented to
>> deal with address space exhaustion, and had the side-effect of hiding
>> machines behind the router.
>
> Before somebody steps in again to point out that NAT isn't a firewall,
> I'd like to give my perspective on it. If your router uses NAT and only
> forwards those ports you've told it to (and then, each port only goes to
> one machine) port scanners can't find your machines because nothing
> responds to their attempts to connect. And, of course, even if you have
> malware trying to act as some sort of server it won't do any good unless
> your machine initiates the connection. No, this isn't a firewall, but
> it's better than having your box sitting on the net completely exposed.
> Consider NAT as one layer of protection in a properly designed and
> implemented defense in depth.

NAT doesn't have anything to do with security.

In your example above, what's the difference between scanning your NAT
box for open ports and having them forwarded by the NAT box to a box
on your internal network or scanning a publicly accessible box on your
internal network directly?

The firewall's the only defense in both cases.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 12/27/2010 09:44 AM, Chris Adams wrote:
> A stateful firewall without a packet
> mangler (i.e. no NAT) is just as secure.

No argument from me.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Monday 27 December 2010 18:14:25 Tom H wrote:
> On Mon, Dec 27, 2010 at 12:41 PM, Joe Zeff <joe@zeff.us> wrote:
> > On 12/27/2010 09:15 AM, Patrick O'Callaghan wrote:
> >> Actually IIRC you have that the wrong way round. NAT was invented to
> >> deal with address space exhaustion, and had the side-effect of hiding
> >> machines behind the router.
> >
> > Before somebody steps in again to point out that NAT isn't a firewall,
> > I'd like to give my perspective on it. If your router uses NAT and only
> > forwards those ports you've told it to (and then, each port only goes to
> > one machine) port scanners can't find your machines because nothing
> > responds to their attempts to connect.

Oh, but the scanner *will* get a response, that's the whole point of port-
forwarding. A scanner sends out a bait, NAT forwards it to appropriate server,
the server responds, NAT forwards the response back to the scanner.

This way the scanner can find out about all your open ports on all servers
behind your NAT, by scanning only one machine (the one facing the internet).
This is actually an added benefit for the scanner, courtesy of NAT. :-)

> > And, of course, even if you have
> > malware trying to act as some sort of server it won't do any good unless
> > your machine initiates the connection.

If malware has infected one of your machines, it typically *will* initiate the
connection (calling-home), and the NAT will do nothing to prevent
communication in that case.

> > No, this isn't a firewall, but
> > it's better than having your box sitting on the net completely exposed.

If you have a firewall (and you need one both with and without NAT), the
machine is never completely exposed. NAT doesn't add any security beyond the
firewall.

> > Consider NAT as one layer of protection in a properly designed and
> > implemented defense in depth.

As I heard somewhere, NAT is usually compared to Japanese paperwall, defense-
wise. IOW, zero protection.

> NAT doesn't have anything to do with security.
>
> In your example above, what's the difference between scanning your NAT
> box for open ports and having them forwarded by the NAT box to a box
> on your internal network or scanning a publicly accessible box on your
> internal network directly?
>
> The firewall's the only defense in both cases.

Well, there is a slight difference, which makes NAT even *less* secure than the
non-NAT solution. :-)

Namely, in the case of having several servers with public IP's behind a
firewall (ie. no NAT), the attacker needs to know the IP of each particular
machine he wants to attack.

However, in the case of having several servers with local IP's behind a NAT
and a firewall (with appropriate port-forwarding to each server), the attacker
needs to know *only* your single public IP, and he can successfully attack all
of the servers behind a NAT through that one.

So, the attacker has a (slightly) easier job if you do have NAT than if you
don't. Other than that, there is absolutely no difference, and the firewall is
the only true line of defense, as you remarked.

Best, :-)
Marko

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines