zirias@
Developer
I now better assume you're making this up ... right?
I now better assume you're making this up ... right?
But it's pure & plain, simple aristhotelian logic applied: We do what you requested, and it points us to a source that in contrast you call unreliable & misleading... Well, your last posts were more substantial & hopefully we can continue that way. This topic is too important & does not deserve a discussion spiked with personal taunts. If you feel there is one against you, please just ignore it & keep on with relevant infos & hints. Thx in advance, sincerely yours, MjölnirI now better assume you're making this up ... right?
Well, complaints like issued in this thread come from this idea of NAT as something "helping security", which it isn't and never has been and I think it's REALLY important to understand this misconception. The patch here aims to *improve* NAT, and given the declared goal of NAT, which is *enabling* connections, it does exactly that.
That's the thinking I consider kind of dangerous, cause this "security" is a byproduct of the shortcomings of NAT, and improving NAT will then decrease this kind of "security". The objective of NAT is to allow as many packets as possible to find their target.
That however is a rant I can relate with, but I'd argue it's not really tied to NAT. As a firewall administrator, you maybe want to open up a specific port on a specific machine for UDP to allow a specific game to communicate. Whether you have to "forward" this port or not won't change anything in principle. A better NAT might remember a mapping automatically, so you don't have to explicitly forward something, but you still have to allow this communication. Thinking IPv6: You won't have/need NAT, but you'd probably still block any incoming packets by default and you still want to allow packets to a specific UPD port on a specific machine for exactly THAT game.
Games or other network applications behaving this way are bad by design. Steamworks for example uses libjingle to find a workable connection from a set of candidates, this employs STUN which simply cannot work with a symmetric NAT, it also leaks private IP addresses and there is nothing whatsoever that could be configured by a user. In the end, the only connection that has a chance to succeed if you are behind a symmetric NAT is via a relay server, whch might introduce additional latency and that is exactly the opposite of what you'd want for the purpose of gaming.
I might be mistaken here as I don't use that kind of crap, but my guess is that even consumer grade routers these days more and more use symmetric NAT. There is nothing wrong with automatic approaches in general, as long as developers give the user at least the option to make it work, when these mechanisms fail.
They use it for IPv4 as there is just no other option. They nowadays support IPv6, of course without NAT. And ISPs offer more and more "ds-lite" where you get IPv4 only through a tunnel (over v6) with a private address that is *again* NAT'ed at the ISP.
firewall_type=workstation) that answers ICMP of my ISP (to debug a problem should they need to), and deny all others. That's really simple. Of course, now that they NAT me, that makes no sense, but when they give me IPv6, I could do that easily.
