North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Where NAT disenfranchises the end-user ...

  • From: Roeland Meyer
  • Date: Fri Sep 07 14:59:27 2001

|> From: Jim Shankland [mailto:[email protected]]
|> Sent: Friday, September 07, 2001 11:33 AM

|> "Mike Batchelor" <[email protected]> writes:
|> > Oh yes, the firewall.  That convenient device that network software
|> > developers can assume will always pass port 80 and 443 traffic.  So
|> > everything uses port 80 and 443 in the future Internet, 
|> and we're all the
|> > better for it.
|> Um, sure, but what are you arguing?  That firewalls are useless and
|> should all go away?  (Good luck.)  That firewalls don't 
|> really exist :-)?

Actually, for the ports that they have proxyd for, they don't. It's called
"transparency", one of those fundimentaly concepts. The ports that they
block, are supposed to be blocked, by design and not by accident. Firewalls
are deterministic, NAT boundaries aren't.

|> Maybe it would be useful to design a base protocol that would
|> provide a standardized method for things like passing an <address,
|> port> tuple, or registering a desire to receive packets on a
|> particular UDP port -- the kind of things that gamers, e.g., 
|> want, and
|> that are tricky to make work through a NAT.  Games, etc., could be
|> written on top of this base protocol, and NATs and firewalls could
|> be made to be aware of that protocol.  Just a thought; any
|> merit to it?

You've just described a NAT proxy daemon. I've spent years trying to write
one. If you are that good, send code. Or better yet, send it to The fundimental reason that you can't write one is that
it requires a whole other protocol that 1) deosn't exist, 2)Isn't
implemented, 3)Violates more than one of Dykstra's laws.