begin quoting Gregory K. Ruiz-Ade as of Fri, Mar 24, 2006 at 10:39:51PM -0800: > On Mar 24, 2006, at 6:58 PM, Stewart Stremler wrote: > >begin quoting Tracy R Reed as of Fri, Mar 24, 2006 at 04:18:45PM > >-0800: > >>I am so tired of NAT. > > > >You like default-allow security policies then? > > Red herring.
Not really. The big complain people tend to throw around with NAT is "it breaks the inherent end-to-end connectivity of the Internet", which is exactly what a default-deny setup on a firewall will do. We've been down this road before. And, frankly, I don't give a damn if the new gee-whiz P2P application of the month wants to open up random server sockets so that all of its bretheren can talk to it. I get to set network policy on my own little piece of the network, just because it's _my_ network, no $random_developer's. If I can't tell an application what port it should run on, that application is _broke_. (Likewise, if an application tunnels everything over port 80, it's broken as well, as that removes the fine-grained control I desire on my network, and I'm now forced to get a much smarter proxy firewall. Bad developer! No biscuit!) (Remember, the Internet was also all about clear-text passwords, trusting source packets based on their reported IP address, trusting ports less than 1023, etc. etc. Not _all_ early ideas are good ones.) On a tangent... NPR recently had a show where they discussed the future. They brought out the idea of a roll of postage-sized cameras at $0.01 each. Give a kid a roll of these things, color 'em like stickers, and he'll go home and slap 'em up everywhere around the house. Each one can have an IP address and a web-server... and I was left thinking "Why is IPv6 a good idea again?" -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
