Once upon a time, Roger Marquis <marquis@roble.com> said:
Address conservation aside, the main selling point of NAT is its filtering of inbound session requests. NAT _always_ fails-closed by forcing inbound connections to pass validation by stateful inspection. Without this you'd have to depend on less reliable (fail-open) mechanisms and streams could be initiated from the Internet at large. In theory you could enforce fail-closed reliably without NAT, but the rules would have to be more complex and complexity is the enemy of security.
NAT == stateful firewall + packet mangling. You can do all the same stateful firewall bits and drop the packet mangling quite easily (it is certainly not "more complex" to not mangle packets). -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.