On Monday 04 June 2007 13:54, Valdis.Kletnieks@vt.edu wrote:
On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
*No* security gain? No protection against port scans from Bucharest? No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site?
Nope. Zip. Zero. Ziltch. Nothing over and above what a good properly configured stateful *non*-NAT firewall should be doing for you already.
Cool, then I need four of these firewalls, and two Class-C (512) worth of IP space that works behind my current ISP at no more than $39.95 each (my basic price for a Dlink, Netgear, etc cable/dsl router with NAT) with no additional cost to my monthly internet - and I will start switching over networks... Yes, I am joking, but the point being that _currently_ NAT serves a purpose; is supported by lots and lots of little "boxes" that customers can plugin, configure, and be on the "net" quickly and easily without having to know about all the "firewall" related stuff; and _does_ do all those neat stateful things for people that have absolutely no interest in knowing about much less learning how to make work. While I agree with the principle being discussed, would that many, many, many more cable in particular and dsl customers of <Insert-Name-of-Large-ISP> had such NAT boxes installed and maybe the rest of us would not be getting quite so much spam from hacked cable/dsl/whatever machines... -- Larry Smith SysAd ECSIS.NET sysad@ecsis.net