Stas Sergeev <stsp@xxxxxxx> writes: > 25.06.2013 03:43, Eric W. Biederman пишет: >> At a very basic level I don't know if it is wise to make it easy to >> open up old unmaintained dos executables to the public internet. > According to wikipedia: > https://en.wikipedia.org/wiki/Slirp#Limitations > slirp cannot accept the incoming connections, and therefore > gives as much of a protection as the NAT does. > But I really can't follow their (wikipedia) logic: at least if the > port is not already in use, why can't slirp open it to listen for > the incoming connections? They claim you need a port forwarding > for that. slirp and qemu can do that. You can't open a privileged port (because you don't have permission but it otherwise works). I do think they call the feature port forwarding however. NAT is sufficient to protect your old DOS mail client or to prevent packet spoofing by the bad guys. Let alone protect you if your DNS is compromised or you are otherwise tricked into connecting into a site the bad guys own. Applications like chrome and firefox are constantly getting updates to prevent problems in those kinds of scenarios. Other network facing applications are paranoid to one degree or another. My concern was just that most DOS applications are old enough that if anyone was serious they could use modern techniques and own your dosemu without trying hard. But like you say below these changes don't propogate quickly. >> maintenance dead end. If slirp updates can be pulled from qemu I don't >> imagine there will be any maintenance problems. > Well you probably know how "often" the dosemu releases > are made: not much more frequently than the ones of slirp. :) > So if there be some updates on slirp, even if someone will pull > them into dosemu git quickly, they have zero chances to reach > the user within 10 years or more, so this is not the best > solution. :)) Shrug. Whatever works. My networking facing hat is quite paranoid these days. I suspect simply having the configuration default to off by default is enough to protect most existing users of DOS applications. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-msdos" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
