On Thu, Jun 18, 2026 at 8:11 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
Am 18.06.26 um 16:42 schrieb William Herrin:
I'm almost never looking for a stateful packet inspector that isn't doing NAT.
If you really want, you can combine SPI firewalling with NAT66 (1:1 matching if you want).
I struggle to imagine a scenario where I would want that.
For me, NAT and the aspect that the machines are not addressable from the outside is a large disadvantage.
For me, it's situational. When I intend for a machine to provide services to the Internet, I prefer that it be accesible from the Internet without the complication of a stateful middlebox or packet translation. When I don't, any additional protection I can get without causing a hassle to myself is a boon. Since I know that mistakes are common, including my own, I prefer protection mechanisms which have a tough time failing unnoticed. When that SPI firewall fails to open routing, there's nothing to notice. Every application that was working before is still working after. That scenario is literally impossible with a 1:many NAT firewall. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/