Хабрадети вышли из NATо! Сенсацыи, скандалы, расследования
Дети с хабра опять изобрели "волшебную пробивалку NATа". За аффтара программы pwnat не скажу (хо-хо, он-то говорит, шта STUN и ICE "не нужны!"(с) Как насчет TURN? А libastral.so?), но аффтар новости точно не читал RFC3489, описания p2p-техник пробоя NATов и... банально, вездессущий "скайп" с его чорной магией - откуда еще такое ощущение новизны с каким этот боян голимый про очередной велосипет выдан за "новость" в собственном смысле слова.
Ну и : альтернативное мнение Капитана Сетевая Безопасность:
"Here is what one of my security gods said when I asked him to look at pwnat:
pwnat is pretty shitty and broken. it might work for some subset of users, but it is not friendly nor robust.
in addition, any robust NAPT implementation will not work with it, since this assumes insecure public face port assignments, and after the whole kaminsky fucks DNS debacle, isn't so true anymore...
pwnat assumes ICMP broadcasts (like host/port unreachable) are forwarded by the NAT to all clients behind it. This is not true for anything but shitty ass broadband routers they ship in bulk to unsuspecting FiOS and Comcrap customers.
Not only that, but opening a raw socket to listen for ICMP is a non-starter for the windoze crowd unless they want to install WinPCAP kernel drivers....
Last, this shitty piece of shit actually broadcasts random UDP to 3.3.3.3 destination every five fucking seconds, like a giant "HEY I'M AN ASSHOLE USING THIS PARTICULAR PIECE OF RARE, SHITTY TECH" >beacon to the world.
Please don't use this; even better, forget it existed at all :)" (с) Конец цытаты.
Ну и : альтернативное мнение Капитана Сетевая Безопасность:
"Here is what one of my security gods said when I asked him to look at pwnat:
pwnat is pretty shitty and broken. it might work for some subset of users, but it is not friendly nor robust.
in addition, any robust NAPT implementation will not work with it, since this assumes insecure public face port assignments, and after the whole kaminsky fucks DNS debacle, isn't so true anymore...
pwnat assumes ICMP broadcasts (like host/port unreachable) are forwarded by the NAT to all clients behind it. This is not true for anything but shitty ass broadband routers they ship in bulk to unsuspecting FiOS and Comcrap customers.
Not only that, but opening a raw socket to listen for ICMP is a non-starter for the windoze crowd unless they want to install WinPCAP kernel drivers....
Last, this shitty piece of shit actually broadcasts random UDP to 3.3.3.3 destination every five fucking seconds, like a giant "HEY I'M AN ASSHOLE USING THIS PARTICULAR PIECE OF RARE, SHITTY TECH" >beacon to the world.
Please don't use this; even better, forget it existed at all :)" (с) Конец цытаты.