Something almost no firewalls get right is pausing connections (NOT rejecting them) until I've decided whether to allow or not. The only firewalls I've seen do this are Little Snitch for Mac, and Portmaster for Windows (before they made it adware / started locking existing local features behind the subscription).
Firewalls don't do this because they are built at the wrong layer to do proper pending calls. It's too narrow of a design space for most firewalls to care.
True, most firewalls aren't built to pause for user input. But then again, that's why almost no firewall software is suitable for this user experience.
I use Portmaster (on Linux) and I have never seen ads (either in the app or apps that get their DNS from Portmaster) on it. About the only thing I saw different between the free version and the base level paid for version was traffic history and weekly reports (and badges on Discord if that's your kind of thing).
Both used to be free. And you may not consider it advertising when unavailable features exist in the free UI just to tell you they're paid, but I do. Especially when they used to be free.
OpenSnitch seems to do this just fine? Unless I’m misunderstanding your point. Connections seem to just block until I take an action on the dialog. Now, if an application itself has specified a short timeout (looking at you, NodeJS-based stuff), that obviously doesn’t help. But for most software it works great.
Yess, the return of the actually good landing page for the technically-minded. Now all they need to do is roll back the macOS one that looks and reads like it was designed by a marketing agency that knows nothing about computers (or even Little Snitch itself).
I wonder if you can place an A18 from a Neo onto an iPhone board, and then make that work somehow... You wouldn't be able to use the one originally from the iPhone because it's differently fused to only accept iOS images.
Is it possible that a jailbreak is found that could allow a “kexec” kind of thing to load a new OS? Of course it would be a huge amount of work even if theoretically possible
marcan once said this was not possible on M1 macs. It was possible before, as coolbooter demonstrated, but it seems now that the hardware cannot be completely reinitialized without being power cycled (it was on Mastodon in 2024, he has since deleted his account so I cannot give you the exact quote). But you can do wizardry to load macOS' userspace on top of iOS' kernel [0] with a jailbreak.
You can't reinitialize the hardware, but if whatever you are trying to load is compatible with what's going on, then it should work. In a sense you could consider kexec to be like booting on a kind of weird machine where your interface to talking to the hardware is whatever macOS initialized the devices to.
> What's the difference, other than port forwarding? Does NAT cause some sort of unique issue that makes existence miserable?
The difference is that your home router does not get a public IP on its WAN interface, but perhaps the non-publicly-routable 100.64.0.0/10 [1] with CG-NAT.
So if you don't have a public IP address, how exactly are you supposed to forward anything? What is the other end supposed to connect to as an IP address?
> The difference is that your home router does not get a public IP on its WAN interface, but perhaps the non-publicly-routable 100.64.0.0/10 [1] with CG-NAT.
Yes...? I know that, but does that cause any issues in practice other than death of P2P?
> So if you don't have a public IP address, how exactly are you supposed to forward anything? What is the other end supposed to connect to as an IP address?
I already mentioned port forwarding because with something like CG-NAT, it is often not possible (or not allowed). But I am not aware of any issues that stem from this other than an inability for others to establish connections directly to you. In fact, my network has a public IPv4 without CG-NAT and yet I am already used to being unable to receive data other than back through a TCP stream. That is the entire reason reverse proxy tunnels (such as ngrok, etc.) exist.
> Yes...? I know that, but does that cause any issues in practice other than death of P2P?
Well:
> If you’re a gamer using PS5, Xbox, or PC in 2025, running into Double NAT or CGNAT port forwarding issues can make online play nearly impossible. Many 5G home internet and satellite services (like T-Mobile Home Internet and Starlink) put users behind carrier-grade NAT, which blocks direct connections and port forwarding. The good news? There are still workarounds that can open up your connection for smoother online gaming.
When we went from dial-up speeds to DSL/cable to fibre we were able to have all sorts new applications due to higher bandwidth. Smartphones are capable of all sorts of things because they're always online: back in the day people used to talk about "being online" and saying "sorry, I was offline", because you only had connectivity at the office or at home (where you dialed into your ISP).
What kind of applications and services are not being invented because we're stuck with the current non-P2P / centralized setup of IPv4+NAT?
> What kind of applications and services are not being invented because we're stuck with the current non-P2P / centralized setup of IPv4+NAT?
I don't know? I've never had CG-NAT and yet I've never seen a piece of software that takes advantage of that except maybe for games that use UPnP to open ports.
> I've never seen a piece of software that takes advantage of that except maybe for games
Maybe we haven't seen many products available on the market to take advantage of it because the current standard of NATs make such things practically unworkable?
Its pretty much impossible to ship smart home stuff that is hosted locally (i.e. not without it connecting to some cloud service) because people want to access these smart devices from outside their home. They're not likely to configure a VPN to connect home, they're not going to configure NATs in any workable fashion (or may be unable to, such as CGNAT), the applications probably don't want to have to handle having NAT hairpinning issues, etc.
So instead we continue down everything that's popular being something that requires a cloud proxy/relay (because that's the only way things actually work for most people), when in reality if things could just be public we could do a whole bunch more and empower people to easily host things themselves.
> I don't know? I've never had CG-NAT and yet I've never seen a piece of software that takes advantage of that except maybe for games that use UPnP to open ports.
Which, as a sibling comments mentions, is the point.
The fact that (CG-)NAT is in the way could be precluding the development of "software that takes advantage of that". It's a form of (negative/inverse) survivorship bias: kind of like zoning for only single-family homes and yet saying "no one wants mid-rise towers/apartments as evidenced by the fact no one building them". The current rules/structure/architecture preclude any other options.
Games, voice/video chat (especially open source ones), stuff like Tailscale, stuff like Magic Wormhole, ... stuff like Dropbox.
Is there anything you do on a computer that involves communicating with another user? That's not just anything - that's most things! All communication between two computers is improved by not requiring NAT.
Corporations love to keep us dependent on their central servers, of course.
Well you just handwaved away the most significant difference between NAT and native IP, obviously there won't be any major difference to discuss about anymore!
No, we can't ignore port forwarding. The key thing to realize about NAT is that someone owns the NAT. Back then, the NAT lived inside each of the home routers, so even if you have a "strict" NAT (endpoint-dependent mapping NAT, i.e. one that doesn't allow for hole-punching), you can easily bypass it by setting up a manual port forwarding entry.
With CGNAT that's no longer possible, you do not control the NAT. If your ISP decides to screw you over, you essentially do not have a choice but to get a relay, which needlessly costs you money.
---
But if you really want to know what advantages native IP has over NAT, I'd say the lack of keepalive packets (to keep a holepunched NAT entry from being removed) is a pretty nice thing.
What is this entitled mindset that somehow people without CG-NAT already benefit from their public IPv4? The only benefit I get from port forwarding is being able to expose my Plex media server to the wider internet, and Tailscale and Steam Networking being able to establish P2P. But even UDP should work through CG-NAT. So you can't hole-punch over WAN -- I've never encountered even a single piece of software that needs that except for servers.
Port forwarding is nice, but everyone already knows you can hardly run a server at home (even in countries where port forwarding is standard). It's been this way for as long as I can remember. So yes I handwave it away because it doesn't matter. If that's the only drawback to CG-NAT (other than single IP address bans applying to entire nations or something) I hardly understand why it warrants treatment as such a terrible awful disaster.
>What is this entitled mindset that somehow people without CG-NAT already benefit from their public IPv4?
I will raise you the opposite point: why deprive people of their ability to have a globally addressable IP address?
>But even UDP should work through CG-NAT.
I have already told you why it is wrong to make such as assumption, haven't I?
I have heard of stories coming from China and Vietnam that some ISPs implement so-called "type 4 NAT", otherwise known as symmetric NAT or NAT with endpoint-dependent mapping.
This kind of NAT is NOT hole-punchable. And because you don't control the NAT, you are simply SOL if one day your NAT decides to switch to it. Can't even use Tailscale without significant service degradation now, ouch.
Granted, I have only heard about it in Vietnam and China, and it's not a national thing -- only some provinces seem to have symmetric NAT implemented. But I feel the need to remind you that the ISPs there were able to get away with it, because the two countries have significant IPv6 presence. [0]
>Port forwarding is nice, but everyone already knows you can hardly run a server at home (even in countries where port forwarding is standard).
You can hardly run a server at home because we have been facing address space depletion since the dot com bubble.
>I hardly understand why it warrants treatment as such a terrible awful disaster.
You haven't faced an overloaded CGNAT gateway, have you? [1]
> I will raise you the opposite point: why deprive people of their ability to have a globally addressable IP address?
I wouldn't. I just don't understand, if the alternative is having no internet access at all, why CG-NAT is so utterly deplorable.
> This kind of NAT is NOT hole-punchable. And because you don't control the NAT, you are simply SOL if one day your NAT decides to switch to it.
Can you clarify what you mean by hole-punchable? If all else fails, just use TCP, right? Does TCP also not work? I'm also not talking about connection between peers but connection to a server. Connection between peers has never been a 100% reliable strategy regardless of anything.
> You haven't faced an overloaded CGNAT gateway, have you? [1]
I have not, but that is not inherent to CG-NAT, is it? Any switch or other hop between you and your destination can be overloaded. The destination itself can be overloaded.
> Please... learn more about hole punching before trying to engage in the topic.
I'm not engaging in the topic of hole punching though? The topic is whether CG-NAT has drawbacks other than lack of port forwarding. As I've said many times, expecting P2P connectivity has never been viable. But you ignore that and keep talking about how hard hole punching is, as if it's indispensable. What makes it so indispensable? Why is it so critical?
> Hole punching, in the context of NAT, is a technique where you establish peer-to-peer connection between hosts behind a NAT.
Good, that confirms I was never talking about that. I even explicitly clarified I was not talking about that (though you may have loaded my comment before that edit.)
> It does not matter which protocol you use, UDP or TCP or chuckles SCTP. If you want to establish P2P connection, you must hole punch.
You don't need to establish P2P connection so I don't see why that's such a problem. Again, it has never been safe to assume P2P connection is possible. Period. It is merely a progressive enhancement.
You don't mention port forwarding without mentioning about hole punching.
Because what port forwarding is for, if not to ease the establishment of direct connections?
>You don't need to establish P2P connection
If you are seriously suggesting Server-Client Is All You Need (TM), I feel we might as well stop the discussion now. VoIP essentially requires P2P, WebRTC is much better with P2P. BitTorrent etc obviously runs on P2P.
Services that provide relays (for people who can't establish P2P connection) for free, can only do so because they expect most connections to NOT go through the relay, and so they could simply stomach the costs of running one small relay.
"What's the difference other than the difference?". Not being able to forward ports means I can't play Tricky Towers with my friend (who isn't technical enough to join a VPN with me and would have privacy concerns about doing so).
Hole punching, which has various forms, may or may not work.
This means if you're doing something realtime, you may need to stick a server(reachable endpoint) in between it, at the very least reducing performance.
I have never seen any situation where this is not already necessary other than UPnP which already almost never works reliably. A publicly-addressable relay is already practically non-negotiable for anything over the internet.
For one, monopolies disabling it by default on their equipment? I remember some years ago having to guess the admin password at a vacation house so I could enable UPnP. It's usually framed as a security vulnerability, even.
uPnP fails when multiple devices are fighting over the same port assignments. uPnP fails when people have it disabled, as has been recommended many times over the years.
How about "bad agents acquiring dozens of new zero-days and using them to compromise any company or nation they want"? It's not exactly hard to see why you wouldn't want public access to a model significantly better than Opus in cybersecurity.
Open models still haven't caught up to ChatGPT's initial release in 2022. Now that the training data is so contaminated (internet is now mostly LLM slop), they may never.
Also, OpenAI's only real moat used to be the quality of their training data from scraping the pre-GPT-3.5 Internet, but it looks like even they've scratched that too.
Er, what? We've had open models that can outperform ChatGPT 3.5 for several years now, and they can run entirely on your phone these days. There is no metric by which 3.5 has not been exceeded.
Not in the creative writing I care about. I've been looking for years and trying new models practically every month, including closed, hosted models. None of them approach the quality of the logs I have from that original release.
I'm just a little frustrated they keep going on about how safe and ethical they are for keeping the more advanced capabilities from us. I wish they would wait to make an announcement until they have something to show, rather than this constant almost gloating.
I agree attempting to ban local AI models or censor them, is not appropriate. At the same time, they do seem far more ethical and less dangerous than other AI companies. And I include big tech in that - a bunch of greedy companies that just want to abuse their monopoli … I mean moats.
IMO (not the GP) but if Anthropic were my friends I would expect them to publish research that didn't just inflate the company itself and that was both reproduceable and verifiable. Not just puff pieces that describe how ethical they are. After all, if a company has to remind you in every PR piece that they are ethical and safety-focused, there is a decent probability that they are the exact opposite.
They are a for-profit company, working on a project to eliminate all human labor and take the gains for themselves, with no plan to allow for the survival of anyone who works for a living. They're definitionally not your friends. While they remain for-profit, their specific behaviors don't really matter.
reply