----- Original Message -----
From: "Jimmy Hess" <mysidia@gmail.com>
There's no reason for the internet community to re-design every protocol to allow and try to function in a NAT environment, for the benefit of a small number of edge networks, who want a private castle with hosts on their network not connected to the internet, for no reason that has been adequately justified.
Justify, yourself in turn, "small number". My personal estimate of the number of NATted edge networks is well north of 75%, on a network count basis.
No one has ever provided me with a serviceable explanation of why a stateful firewall is an insufficient method for implementing any desired network policy, with regards to limiting accepted traffic to outbound connections for nodes on an edge network.
Complexity of the configuration vastly increases the size of the attack surface: in a NATted edge network, *no packets can come in unless I explicitly configure for them*; there are any number of reasons why an equivalently simply assertion cannot be made concerning the configuration of firewalls, of whatever type or construction. In a firewall, you are *fighting* the default "route this packet" design; in a NATgate, you have to consciously throw the packets over the moat. I've never been clear why this isn't intiutively obvious to the people with whom I have to have this argument. Cheers, -- jra