* NAT Helper or UPnP?
[not found] <20040705143812.300.qmail@eyou.com>
@ 2004-07-05 6:38 ` =?unknown-8bit?b?wbfK6bPJ?=
2004-07-05 7:29 ` Antony Stone
0 siblings, 1 reply; 5+ messages in thread
From: =?unknown-8bit?b?wbfK6bPJ?= @ 2004-07-05 6:38 UTC (permalink / raw)
To: netfilter
HI,
I really wonder the future of nat helper mechnism because of the UPnP.
UPnP can do all the things that nat helper can do. Using UPnP, If we want
to provide nat traversing in gateway we won't need to survey any application
protocol and just need to support the upnp. Then traversing nat is a task by
application client providers and it is much more simple to them -- they just
provide upnp script or subfunction and publish it in next version.
Then anyone can tell me a more detailed comparision between nat helper and
UPnP and give the advantage of nat helper mechnism comparision the UPnP.
Thank you very much!!!
--s.c.lian
--http://www.eyou.com
--稳定可靠的电子信箱 语音邮件 移动书签 日历服务 网络存储...亿邮未尽
--http://vip.eyou.com
--快快登录亿邮VIP信箱 注册您中意的用户名
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: NAT Helper or UPnP?
2004-07-05 6:38 ` NAT Helper or UPnP? =?unknown-8bit?b?wbfK6bPJ?=
@ 2004-07-05 7:29 ` Antony Stone
2004-07-05 7:48 ` Gavin Hamill
0 siblings, 1 reply; 5+ messages in thread
From: Antony Stone @ 2004-07-05 7:29 UTC (permalink / raw)
To: netfilter
On Monday 05 July 2004 7:38 am, Á·Êé³É wrote:
> HI,
>
> I really wonder the future of nat helper mechnism because of the UPnP.
>
> UPnP can do all the things that nat helper can do.
Securely?
> Using UPnP, If we want to provide nat traversing in gateway we won't need to
> survey any application protocol and just need to support the upnp.
How about you only want to support one protocol, and not the others?
> Then anyone can tell me a more detailed comparision between nat helper
> and UPnP and give the advantage of nat helper mechnism comparision the
> UPnP.
I know this is by no means a detailed reply, but I would say it comes down to
one word - "security".
Everything I have read / heard about uPnP suggests that it is not a secure
mechanism, and therefore is not supported through firewalls in the same way
that RPC isn't, for example.
Regards,
Antony.
--
Microsoft may sell more software than any other company, but McDonald's sell
more burgers than any other company, and I think the other similarities are
obvious...
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: NAT Helper or UPnP?
2004-07-05 7:29 ` Antony Stone
@ 2004-07-05 7:48 ` Gavin Hamill
2004-07-05 17:56 ` Mark E. Donaldson
0 siblings, 1 reply; 5+ messages in thread
From: Gavin Hamill @ 2004-07-05 7:48 UTC (permalink / raw)
To: netfilter
On Monday 05 July 2004 08:29, Antony Stone wrote:
> I know this is by no means a detailed reply, but I would say it comes down
> to one word - "security".
I'll second that.
Microsoft released a long article extolling the virtues of UPnP where it
pitches the system as a replacement for X.10 home automation, (e.g.
everything including your alarm clock is UPnP enabled, and gets
synchronised / alarms set by a central server), with only a small mention of
the hideous firewall 'features'
UPnP moves policy and security decisions from the firewall ruleset where they
properly belong to a userspace app running on Windows - forgive me, but the
designer of this system seems like a candidate for the Darwin Awards of the
most dangerous and stupid network idea ever - just think the next version of
Sasser / Fizzer would open ports on your $50 UPnP-enabled firewall and make
you be an even bigger zombie host.
And all in the name of 'ease of use' - bah. Let's hope a huge lawsuit against
Netgear / Belkin / other low-end router manufr. puts an end to this disease.
gdh
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: NAT Helper or UPnP?
2004-07-05 7:48 ` Gavin Hamill
@ 2004-07-05 17:56 ` Mark E. Donaldson
2004-07-05 18:18 ` Antony Stone
0 siblings, 1 reply; 5+ messages in thread
From: Mark E. Donaldson @ 2004-07-05 17:56 UTC (permalink / raw)
To: 'Gavin Hamill', netfilter
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Gavin Hamill
Sent: Monday, July 05, 2004 12:48 AM
To: netfilter@lists.netfilter.org
Subject: Re: NAT Helper or UPnP?
On Monday 05 July 2004 08:29, Antony Stone wrote:
> I know this is by no means a detailed reply, but I would say it comes
> down to one word - "security".
I'll second that.
Microsoft released a long article extolling the virtues of UPnP where it
pitches the system as a replacement for X.10 home automation, (e.g.
everything including your alarm clock is UPnP enabled, and gets synchronised
/ alarms set by a central server), with only a small mention of the hideous
firewall 'features'
UPnP moves policy and security decisions from the firewall ruleset where
they properly belong to a userspace app running on Windows - forgive me, but
the designer of this system seems like a candidate for the Darwin Awards of
the most dangerous and stupid network idea ever - just think the next
version of Sasser / Fizzer would open ports on your $50 UPnP-enabled
firewall and make you be an even bigger zombie host.
And all in the name of 'ease of use' - bah. Let's hope a huge lawsuit
against Netgear / Belkin / other low-end router manufr. puts an end to this
disease.
gdh
How about a third. Permitting Microsoft's UPnP through you firewall is
equivalent to taking all the curtains down in your house and letting the
entire world look inside. But alas, they may not be content with just
viewing as they may see some things they might like and will eventually
break in at night and take them.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: NAT Helper or UPnP?
2004-07-05 17:56 ` Mark E. Donaldson
@ 2004-07-05 18:18 ` Antony Stone
0 siblings, 0 replies; 5+ messages in thread
From: Antony Stone @ 2004-07-05 18:18 UTC (permalink / raw)
To: netfilter
On Monday 05 July 2004 6:56 pm, Mark E. Donaldson wrote:
> > On Monday 05 July 2004 08:29, Antony Stone wrote:
> > > I know this is by no means a detailed reply, but I would say it comes
> > > down to one word - "security".
> >
> > I'll second that.
>
> How about a third. Permitting Microsoft's UPnP through your firewall is
> equivalent to taking all the curtains down in your house and letting the
> entire world look inside. But alas, they may not be content with just
> viewing as they may see some things they might like and will eventually
> break in at night and take them.
Actually, I'd say the analogy above is more like running IIS (or some similar
service where a quick scan will reveal the version of vulnerabilities you're
running, and the attacker can then come back with the right tool when they
want to exploit it).
uPnP would let the burglars look through your windows in the afternoon, say
"that looks nice", and take it there and then.
The whole point of uPnP is to advertise the availability of services, so
allowing it through a firewall is simply inviting people to partake of those
services as they wish.
Regards,
Antony.
--
If you can't find an Open Source solution for it, then it isn't a real
problem.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-07-05 18:18 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20040705143812.300.qmail@eyou.com>
2004-07-05 6:38 ` NAT Helper or UPnP? =?unknown-8bit?b?wbfK6bPJ?=
2004-07-05 7:29 ` Antony Stone
2004-07-05 7:48 ` Gavin Hamill
2004-07-05 17:56 ` Mark E. Donaldson
2004-07-05 18:18 ` Antony Stone
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox