* chownat
@ 2008-08-04 15:07 Brent Clark
2008-08-04 16:42 ` chownat Grant Taylor
2008-08-04 16:50 ` chownat Jan Engelhardt
0 siblings, 2 replies; 5+ messages in thread
From: Brent Clark @ 2008-08-04 15:07 UTC (permalink / raw)
To: 'Mail List - Netfilter'
Hi
I would like to know.
Has anyone played with chownat.
(Link : http://samy.pl/chownat/ ).
I haven't played or tested it, but from what I gather, isn't this how
skype is works and theoretically breaks / gets past NAT.
In my opinion and proving that people that solely rely on NAT, are in
for a surprise.
I look forward to peoples opinion / thoughts.
Hope im wrong.
Kind Regards
Brent Clark
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: chownat
2008-08-04 15:07 chownat Brent Clark
@ 2008-08-04 16:42 ` Grant Taylor
2008-08-04 16:50 ` chownat Jan Engelhardt
1 sibling, 0 replies; 5+ messages in thread
From: Grant Taylor @ 2008-08-04 16:42 UTC (permalink / raw)
To: Mail List - Netfilter
On 08/04/08 10:07, Brent Clark wrote:
> Has anyone played with chownat.
I can't say as I have.
> I haven't played or tested it, but from what I gather, isn't this how
> skype is works and theoretically breaks / gets past NAT.
I don't know how Skype works so I can't say. I believe the general
premise behind things like this is that NAT can fairly easily be
subverted by having both ends try to initiate an outbound connection to
each other in such a manner that the outbound connections can end up in
fashion (a very poor choice of words) ""spliced together by some how
confusing (?) the NAT table and / or state table so that the NATing
devices believe that each end is really receiving replies to its own
outbound connections from the other end. Thus there is a form of two
way tunnel between the two end. I believe that usually a third entity
in the middle is needed to initiate the connection which once initiated
falls back to just the two end points.
Take a look at how STUN works for UDP and VoIP.
> In my opinion and proving that people that solely rely on NAT, are in
> for a surprise.
The thing that you have to remember is 1) this type of tunnel requires
active support (someone doing something) on both ends, 2) NAT is not a
security mechanism, and 3) this does not take in to account any form of
egress filtering that should help stop this.
> I look forward to peoples opinion / thoughts.
*nod*
Please provide more of your opinion / concerns for the sake of discussion.
> Hope im wrong.
I don't think you are wrong. Things like this can and will be abused.
There are also cases where things like this are a good thing, i.e. STUN
for VoIP. This, or its technology, is a tool and just like any other
tool, it can be used for both good *and* bad.
Grant. . . .
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: chownat
2008-08-04 15:07 chownat Brent Clark
2008-08-04 16:42 ` chownat Grant Taylor
@ 2008-08-04 16:50 ` Jan Engelhardt
2008-08-04 17:55 ` chownat Grant Taylor
1 sibling, 1 reply; 5+ messages in thread
From: Jan Engelhardt @ 2008-08-04 16:50 UTC (permalink / raw)
To: Brent Clark; +Cc: 'Mail List - Netfilter'
On Monday 2008-08-04 11:07, Brent Clark wrote:
>
> I would like to know.
>
> Has anyone played with chownat.
> (Link : http://samy.pl/chownat/ ).
Also see http://linux.die.net/man/2/fchownat ;-)
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-08-04 20:25 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-08-04 15:07 chownat Brent Clark
2008-08-04 16:42 ` chownat Grant Taylor
2008-08-04 16:50 ` chownat Jan Engelhardt
2008-08-04 17:55 ` chownat Grant Taylor
2008-08-04 20:25 ` chownat Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox