• 0 Posts
  • 20 Comments
Joined 2 years ago
cake
Cake day: June 15th, 2023

help-circle


  • You’re welcome, great to see how you’re taking all the comments on board!

    There are more subtle problems with NAT as well. Say that PC-A opens a connection from port 1234 (to something on the internet), and PC-B opens a connection from port 1234 too. Now the router has to translate the PC-B connection to coming from port 1235 to distinguish them from each other. But if PC-C then wants to open a listening port on 1235 it won’t work because the port is already in use, even though you can’t see anything using that port!

    NAT is full of ridiculous corner cases like that, which normal users aren’t very likely to notice. But once you start self-hosting things or trying to get something like older multiplayer games working the problems pile up fast if you’re unlucky.


  • Yeah multiple NAT is a lot worse, but normal NAT has a lot of corner cases too that most people just don’t run into that often. For example if two computers behind NAT want to listen on the same port, that just doesn’t work.

    NAT is a “good enough” solution that tricked a whole generation of people growing up with it into thinking it’s a good thing. While in reality the best case is that you don’t run into issues and the worst case is that performance is horrible and you can’t do the things you want to do. The only people that benefit from it are lazy ISPs, not their users.


  • NAT is not a firewall and it’s not that great for privacy either, it’s not hard to fingerprint individual devices behind NAT. There are zero cases where NAT is better than the alternatives, except when you’re out of public IP’s, which isn’t an issue with IPv6.

    So you’re much better off by not trying to reinvent the wheel and using IPv6 the way it was intended. Use privacy extensions for privacy. Use proper firewall rules for security. Revel in the fact that NAT isn’t fucking up your inbound connections. Do not under any circumstances force the horrible kludge that is NAT into your IPv6 network.




  • Absolutely possible if you keep the network setup simple. However, I run different sets of containers as different users, some of which also use services from the host itself (such as a PostgreSQL instance), and things quickly become more complex in these situations. The examples on the github helped me a lot to realise everything I wanted.












  • I have read them. While Vaxry makes his points in typical Vaxry fashion he’s not wrong IMHO.

    I think it’s ridiculous and unprecedented to demand that other open source projects adhere to the rules of another project. If more projects would do that then where will it end? The big COC wars where camps of open source projects are split and fractured along opinions of how one should moderate their own communities? This is not the way to work together with others.

    The demand was not about Vaxry’s own behaviour outside freedesktop, but about his community. I disagree that behaviour there reflects on freedesktop itself. Hell, I think a lot of people who use Hyprland couldn’t even explain what freedesktop is and does.

    So in my opinion Vaxry was right to refuse the demand, and right to publish the email conversation about it. Openness in open source about these sorts of things is important. His hostility in writing about it is something else altogether. Feel free to judge him on that, but it doesn’t retroactively excuse freedesktop’s behaviour.