On Mar 24, 2006, at 11:11 PM, Stewart Stremler wrote:
The big complain people tend to throw around with NAT is "it breaksthe inherent end-to-end connectivity of the Internet", which is exactlywhat a default-deny setup on a firewall will do.
Well, I have no problem with default-deny policies. That's a good thing. What I have a problem with is that if I _do_ want to allow access, I have to figure out the particular way to do it with whatever NAT device happens to be in the way.
It's much simpler to (a) open the particular service on the host and (b) tell the firewall to let those connections through.
Default-deny policies aren't bad, or a problem. Having to do magical incantations and port re-numberings is. (Question: how do you allow SSH access to six hosts behind a NAT box? Not easily, that's for sure.)
We've been down this road before. And, frankly, I don't give a damn if the new gee-whiz P2P application of the month wants to open up random server sockets so that all of its bretheren can talk to it. I get to set network policy on my own little piece of the network, just because it's _my_ network, no $random_developer's.
that's not my reasoning for disliking NAT. :)I want the option of being able to open things up without stupid work- arounds. NAT does not give me that option.
NPR recently had a show where they discussed the future. They brought out the idea of a roll of postage-sized cameras at $0.01 each. Give a kid a roll of these things, color 'em like stickers, and he'll go home and slap 'em up everywhere around the house. Each one can have an IPaddress and a web-server... and I was left thinking "Why is IPv6 a goodidea again?"
Because... Well, what _else_ are we going to do with billions of IP addresses?
Gregory -- Gregory K. Ruiz-Ade <[EMAIL PROTECTED]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
PGP.sig
Description: This is a digitally signed message part
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
