JB> Date: Wed, 29 Oct 2003 15:27:27 -0600 JB> From: Jack Bates JB> I think the point that was being made was that NAT allows the JB> filtering of the box to be more idiot proof. Firewall rules JB> tend to be complex, which is why mistakes *do* get made and JB> systems still get compromised. NAT interfaces and setups JB> tend to be more simplistic, and the IP addresses of the JB> device won't route publicly through the firewall or any JB> unknown alternate routes. NAT "security" is a byproduct of NAT's stateful filtering. One can accomplish the same effect with check-state allow ip any any recv internal0 keep-state deny ip any any Such a default fw config would be equally idiot-proof with no IP obfuscation. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.