Nothing (except a good spanking -:)) can help in such case. We are not talking about static NAT and inbound connections. I told about dynamic PNAT _only_.
Once upon a time, Alexei Roudnev <alex@relcom.net> said:
Any simple NAT (PNAT, to be correct) box decrease a chance of infection
by
last worms to 0. Just 0.0000%.
The problem is that Joe User (or his kid) wants to run some random P2P program without having to reconfigure NAT port mappings, so they have all inbound connections mapped to a static internal IP. When the worms come knocking, the connections go right through and the static IP system gets infected, which then infects the Mom's computer, etc.; then you have 2+ times as much worm traffic sourced from that single public IP because there are multiple computers scanning.
NAT does help if you just put necessary port mappings in place (and only for "secure" protocols). -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.