** Reply to message from Chris Adams <cmadams@hiwaay.net> on Fri, 7 May 2004 09:45:36 -0500
Once upon a time, Alexei Roudnev <alex@relcom.net> said:
Any simple NAT (PNAT, to be correct) box decrease a chance of infection by last worms to 0. Just 0.0000%.
The problem is that Joe User (or his kid) wants to run some random P2P program without having to reconfigure NAT port mappings, so they have all inbound connections mapped to a static internal IP. When the worms come knocking, the connections go right through and the static IP system gets infected, which then infects the Mom's computer, etc.; then you have 2+ times as much worm traffic sourced from that single public IP because there are multiple computers scanning.
If Joe (L)User or his kid sets up his NAT that way... well, quite honestly he gets what he deserves. Protecting against active, deliberate stupidty is probably more than my job description coveres. I do get paid to clean up the mess afterwards however. And in at least one case I have set it up for a customer that they are behind a NAT that they can't reconfigure - 3 strikes and I was out of patience. But I suggest that in my experience the above sort of thing is relatively rare.
NAT does help if you just put necessary port mappings in place (and only for "secure" protocols).
I don't know about that last part - do you consider http and ftp to be secure protocols? -- Jeff Shultz A railfan pulls up to a grade crossing hoping that there will be a train.