kentonv changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things sandstorm.io. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev
frigginglorious has quit [Remote host closed the connection]
frigginglorious has joined #sandstorm
<isd>
ocdtrekkie: iirc we'd talked a bit about the possibility having Sandstorm automatically configure port forwarding, but kindof dismissed the idea because upnp has security problems. But I was reading a bit about nat traversal earlier and discovered there are some more recent protocols out there for this sort of thing; transmission (bittorrent client) seems to use something called NAT-PMP, and there's apparently a successor to
<isd>
that called Port Control Protocol. I wonder if it's worth revisiting to see if there's a good option for this after all.
<crab>
hi isd.
<JacobWeisz[m]>
I guess my main peeve was the general concept of a device inside a network being allowed or capable of configuring the router without authentication, rather than the specifics of uPNP as a protocol.
<isd>
I mean, in this case, "configure the router" really just means "work around the fact that NAT means you can't just listen()"
<isd>
crab: hi
<JacobWeisz[m]>
I suppose if newer versions of the protocol/concept exist and are used today by modern software, I guess we might as well. It just feels like something I'd not want my router to respond to.
<JacobWeisz[m]>
So my question is what percentage of home routers support whatever we implement out of the box?
<isd>
I kinda expect to find the newer versions won't let you grab 80/443. But it's worth looking into what we can expect from most routers I think.
kawaiipunk has quit [Quit: Leaving this Club]
kawaiipunk has joined #sandstorm
wings has quit [Ping timeout: 264 seconds]
frigginglorious1 has joined #sandstorm
frigginglorious has quit [Ping timeout: 264 seconds]
frigginglorious1 is now known as frigginglorious
frigginglorious has quit [Read error: Connection reset by peer]
frigginglorious1 has joined #sandstorm
frigginglorious1 is now known as frigginglorious
frigginglorious has quit [Ping timeout: 264 seconds]
xet7 has joined #sandstorm
griff_ has joined #sandstorm
edwardl has joined #sandstorm
nicoo has quit [Ping timeout: 240 seconds]
nicoo has joined #sandstorm
griff_ has quit [Quit: griff_]
griff_ has joined #sandstorm
griff_ has quit [Quit: griff_]
griff_ has joined #sandstorm
xet7 has quit [Quit: Leaving]
griff_ has quit [Quit: griff_]
griff_ has joined #sandstorm
<TimMc>
isd: Not to mention some ISPs block inbound 80 and 25 in their infrastructure.
<JacobWeisz[m]>
Yeah, I choose to keep 6080 because even if my ISP doesn't block it, it's against the TOS for me to server at well-known ports.
<TimMc>
It helps to think of NATs and firewalls as distinct -- uPNP gets around the accidental-firewalling that NAT induces, but you can still set policy about what is allowed to listen.
<TimMc>
(depending on your router, heh)
<TimMc>
IMO NATs are one of the worst things to happen to personal computing.
<JacobWeisz[m]>
I don't know... the accidental security they produce has probably saved a lot of people a lot of pain.
griff_ has quit [Quit: griff_]
<jfred>
maybe, but I feel like that has more to do with the firewall than with the NAT; a default-deny firewall would provide similar levels of security
<jfred>
a default-deny firewall alone I should say
frigginglorious has joined #sandstorm
xet7 has joined #sandstorm
xet7 has quit [Read error: Connection reset by peer]
xet7 has joined #sandstorm
<JacobWeisz[m]>
I'm thinking about your D-Link and Netgear home routers of the world where admin/password has thrived for a decade or more and the user has no idea if they have a firewall or not.
xet7 has quit [Remote host closed the connection]
xet7 has joined #sandstorm
xet7 has quit [Client Quit]
<TimMc>
That's part of why port 80 inbound is blocked by ISPs, too. :-P
kentonv has quit [Quit: Leaving]
xet7 has joined #sandstorm
kentonv has joined #sandstorm
frigginglorious1 has joined #sandstorm
xet7 has quit [Quit: Leaving]
frigginglorious has quit [Ping timeout: 265 seconds]
frigginglorious1 is now known as frigginglorious
frigginglorious has quit [Remote host closed the connection]
xet7 has joined #sandstorm
frigginglorious has joined #sandstorm
frigginglorious has quit [Remote host closed the connection]
frigginglorious has joined #sandstorm
xet7 has quit [Remote host closed the connection]
xet7 has joined #sandstorm
<isd>
fwiw the few ISPs I've had where I've tried port 80, it's been open -- frankly it's not that rife for abuse and it's unlikely for something to accidently expose itself.
<isd>
port 25 is another story though
<isd>
But yes, I think there's firewalls, and then there's port forwarding... which is basically just "routing" in the context of a NAT, so that is somthing routers should be doing, I think...
<JacobWeisz[m]>
I haven't tested mine, I just know it's a terms violation to use it.
<JacobWeisz[m]>
I imagine the home ISPs larger than mine have similar terms, whether they bother to technically block it or not.
<isd>
Maybe we shouldn't try to use the low ports in the auto-config anyway then; if the user wants that they can do the forwarding manually. That way it's more likely people know what they're getting into there.
<isd>
In an ideal world, networks would operate on capability principles, so you'd hook your sandstorm box up to the network, and it would do the network equivalent of a powerbox request, and a thing would pop up on your phone/laptop letting you decide how to expose it.
<isd>
But we're stuck with ip and NAT I think :P
<isd>
I think tonight is office hours?
<JacobWeisz[m]>
I think so, yeah.
<isd>
Ok, let's go with that then.
<isd>
Someone else should make a notes grain; my sandstorm box isn't booting and I still need to troubleshoot why.
<isd>
...or not. Got it working, finally.
<isd>
Ok, made a notes grain.
griff_ has joined #sandstorm
frigginglorious has quit [Read error: Connection reset by peer]
frigginglorious has joined #sandstorm
griff_ has quit [Quit: griff_]
frigginglorious1 has joined #sandstorm
frigginglorious has quit [Ping timeout: 272 seconds]
frigginglorious1 is now known as frigginglorious
frigginglorious has quit [Read error: Connection reset by peer]