On 12/7/10 10:20 AM, Adam Tauno Williams wrote:
>
>>> Some people's belief that NAT is some magic sauce that makes
> themmore
>>> secure [it does not] or provides them more flexibility [it does not]
>>> than real addresses ... causes the people who understand networking to
>>> have to spend time explaining that their love of NAT is misguided and
>>> their beliefs about NAT are bogus.
>> If the ipv6 routers come with defaults that work the same as current NAT
>> routers, people will be able to continue to misunderstand them happily. That
>> is,
>> permit outbound client connections from anything connected behind them
>> without
>> much regard to how many devices there are, and block everything else.
>
> And doesn't that sound like you just describe a firewall?
It sounds like a complex setup for a firewall with dynamic entries to
temporarily pass tcp and upd with different timeouts, where 1->many NAT
doesn't
have any other choice. If you don't send outbound you don't get the nat table
entry to forward anything back through it.
> "permit outbound client connections from anything connected behind them
> without much regard to how many devices there are, and block everything
> else" isn't NAT. That's a router/firewall. Happily IPv6 does that
> exactly.
You didn't mention the number of devices - how does that play out when you
exceed the number initially set up?
--
Les Mikesell
[email protected]
_______________________________________________
CentOS mailing list
[email protected]
http://lists.centos.org/mailman/listinfo/centos
