lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Aug 2012 23:52:14 +0200 (MEST) From: Patrick McHardy <kaber@...sh.net> To: "Eric W. Biederman" <ebiederm@...ssion.com> cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH 00/19] netfilter: IPv6 NAT On Thu, 9 Aug 2012, Eric W. Biederman wrote: > kaber@...sh.net writes: > >> The following patches contain an updated version of IPv6 NAT against >> Linus' current tree. >> >> The series is organized as follows: >> >> - Patches 01-03 contain bugfixes for SIP helper bugs/regressions >> present in the current kernel > > Why not just delete this code? The current best practices are to > disable ALGs for SIP. To the point in some circles people recommend > running SIP over TLS to avoid over helpful NAT ALGs. And where can I read up on these best practices and how well they work? In any case, these patches are all for the connection tracking helper, which is needed unless you want to open up your firewall for every possible RTP source, in which case you can simply disable it. Some people are also using it to proritize RTP streams without any filtering. Also, even if the NAT helper would not mangle packets, it is still needed to adjust expectations. so incoming connections can go to the correct destination. That is, direct RTP connections between two endpoints that didn't have any direct signalling communication before You can of course also proxy everything through your SIP provider (including internal calls) and/or use STUN (which is unreliable under Linux). I prefer not to. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists