On 17/02/2024, 19:27:20, "William Herrin" <bill@herrin.us> wrote:
So it does not surprise me that a 1994 book on network security would not have discussed NAT. They'd have referred to the comparable contemporary technology, which was "transparent application layer gateways." Those behaved like what we now call NAT but did the job a different way: instead of modifying packets, they terminated the connection and proxied it.
And that was a very desired feature plus the address isolation, then and for decades since. The clients IP stack was not trusted to interact directly with external hosts. See socks proxy too (and later Squid). It is still in use today in some places. There were stateful firewalls but trust was reduced when the Firewall 1 undocumented and not unconfigurable default DNS UDP inbound rule was discovered, it let anyone on the Internets "DNS" packets reach any host on the inside they could guess the address of. The "what if the product does allow packets in it is expected not to" consideration drove having unreachable internal addressing. Clicking on rules and assuming it is all good forever more through product revisions was not sufficient. Every version would need a significant re audit and probably miss any real problem. How are people validating their firewall does what they think it does? brandon