COM/CORBA/DCOP (was: Hello people. I have some questions)
Alex Martelli
aleax at aleax.it
Wed Sep 5 03:41:16 EDT 2001
"Erno Kuusela" <erno-news at erno.iki.fi> wrote in message
news:kug0a2h37i.fsf at lasipalatsi.fi...
> In article <9n292n01lg1 at enews3.newsguy.com>, "Alex Martelli"
> <aleax at aleax.it> writes:
>
> | "Erno Kuusela" <erno-news at erno.iki.fi> wrote in message
> | news:kusne3hcry.fsf at lasipalatsi.fi...
> ||
> || "joy" and "nat" in the same sentence? ugh!
>
> | With ipf/ipnat, the oxymoron of joyful nat'ting
> | magically became possible:-).
>
> but it's a fundamentally broken concept!
I guess we'll just have to agree to disagree on this point.
> over here isps tend to sell ip connections with 10.x addresses + nat
> as "internet" to people and then you can't do anything except
> browse the web and read email.
...and irc and news and cvs and ntp and okbridge and icq and...
I don't particularly care about video-on-demand at this point
in time, but with nat &c correctly configured, I see no
fundamental technical reason it couldn't be made to work.
Of course, I'll have to go with dynamic DNS to match the
dynamic IP assignment if I want to offer servers, but that's
got nothing to do with NAT'ting -- even just one box with
a dynamic IP address would be in the same boat.
> there is a good rant about this and other internet breaking stuff
> at <URL:
> http://www.technetcast.com/tnc_play_stream.html?stream_id=311>.
If you can give me URL's to transcripts of this, or other
_written_ material, I'll be happy to read and ponder over
them, but I don't do video/audio at this point.
> i suppose it might be ok if you do it in the privacy of your
> own home and don't impose it on hapless users who aren't aware
> it breaks a lot of stuff.
You could argue I'm imposing it on my hapless girlfriend, who,
while a whiz website designer, can't tell ICMP from IGMP (but
I'm sure she'll be great at Python when I finally manage to
workaround her instinctive "no way I'm not a programmer I'm
not gonna even look at this" reaction:-).
> | for security-crucial functions...? "The pieces that aren't
> | there are those you know won't break", etc, etc".
>
> well, putting X on the firewall doesn't make it any more or less
> stable
In theory, but -- the difference between theory and practice,
in practice, is larger than the difference between practice
and theory, in theory. _Maybe_ I can have X and a zillion
other things and everything will be just peachy -- and then,
maybe again, I can't... what unsuspected exploitable bugs
may lie in software I've installed when I could well have
avoided installing it? *the pieces that aren't there are
the ones you KNOW won't break*.
> (unless you allow untrusted users shell accounts on it,
> but you can't really defend someone with a shell account
> from rootnig a unix box (including openbsd) anyway).
I wonder -- when it's consolidated and hardened enough, I
might experiment with that. But anyway, who's happy with
a single layer of defense? I want security in depth, and
all feasible precautions. Not have avoidable accounts on
the firewall box, but not have avoidable pieces of software
on it either (minimal base OpenBSD 2.9 install, plus of
course *Python*, which *is* absolutely indispensable, and
_maybe_ some proxies just so I can tighten the FW down even
more while still allowing the PC's to access the internet
through the proxies).
> i've been pretty happy with running packet filtering on my single
> computer i have at home, but then i don't attempt anything very
> ambitious functionality wise.
As for me, I do need to share the ADSL connection among
half a dozen PC's (both Windows and Linux ones), and also
eventually run some small servers accessible from the outside
(unless that means code-red scans tie up all my very modest
bandwidth, of course:-) -- and I aim to do it all in the
safest way I can devise. We'll see...
Alex
More information about the Python-list
mailing list