This sounds like the beginning of an interesting discussion.
I have taken the liberty of trimming the [Was: ..] portion
of the subject.
So TR, what are the underlying gripes about NAT and firewall-based
security?
- performance?
- ugly/dirty/messy coding or practices?
- individual liberties?
- network auditability???
- ??
And SS, what do you object to in Tracy's statement or assumptions?
- "host based security" practicality?
- technical challenges?
- ??
I have to admit my first reaction is that the "host based security"
concept seems difficult to achieve without some kind of "licensing" (or
what else?) of hosts that could assure hosts are capable of behaving
responsibly & reliably wrt/ propagating security risks back into the net.
..jim
Stewart Stremler wrote:
begin quoting Tracy R Reed as of Sun, Jan 29, 2006 at 10:32:35AM -0500:
[snip]
Use passive ftp or install the iptables ftp helper module which will
rewrite the protocol layer port information to match what the nat in
iptables is doing. I am really peeved these days over the destruction of
the peer to peer connectivity aspects of the Internet. NAT must die and
firewalls must go away in favor of host based security. We need to come
up with a killer app for ipv6.
NAT is a godsend and should rule the day; process level IPs should be
implemented as NAT'd 127.x.x.x IPs and mediated by the OS kernel to the
appropriate static IP. We need to make sure we start implementing NAT
functionality in IPv6-capable firewalls.
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
