In message <53504C18.7050406@matthew.at>, Matthew Kaufman writes:
On 4/17/2014 1:45 PM, George Herbert wrote:
This is why listening to operators is important.
Why start now? After all, most of the useful input operators could have provided would have been much more useful at the beginning.
Matthew Kaufman
NAT from a firewall perspective is "default deny in". As far as I can tell no one is arguing that a firewall should not support that. Now mangling the addresses and ports is not a firewall's job. Its never has been a firewall's job. That is what a NAT box does. Now sometimes a NAT and Firewall are implemented in the same hardware and people fail to make the distinction. As for doing the same as v4 in a firewall for v6, only a idiot would do that, as it will often break IPv6. There are rules, often deployed in v4, that are mostly harmless to IPv4 but will totally break IPv6. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org