begin quoting Gregory K. Ruiz-Ade as of Sat, Mar 25, 2006 at 04:58:31PM -0800: > On Mar 24, 2006, at 11:11 PM, Stewart Stremler wrote: > > >The big complain people tend to throw around with NAT is "it breaks > >the inherent end-to-end connectivity of the Internet", which is > >exactly what a default-deny setup on a firewall will do. > > Well, I have no problem with default-deny policies. That's a good > thing. What I have a problem with is that if I _do_ want to allow > access, I have to figure out the particular way to do it with > whatever NAT device happens to be in the way.
The real problem, then, is that simplistic NAT do not offer sufficient control. The handful of NAT devices and tools that I've seen have not been so crippled; we may be working on different data-sets here. :) > It's much simpler to (a) open the particular service on the host and > (b) tell the firewall to let those connections through. To SSH into a machine on the network, I just go to my NAT box and configure it to connect <this> incoming port to <that> internal box. Not any different than what I would have to do with a firewall, really. > Default-deny policies aren't bad, or a problem. Having to do magical > incantations and port re-numberings is. (Question: how do you allow > SSH access to six hosts behind a NAT box? Not easily, that's for sure.) The simple way is to run ssh on six different ports, and point each incoming port to a different machine. Easy. [snip - P2P apps] > that's not my reasoning for disliking NAT. :) > > I want the option of being able to open things up without stupid work- > arounds. NAT does not give me that option. I have a much different idea of what constitutes a "stupid workaround" than you, I suspect. There are trivial workarounds (e.g. run another sshd on a different port) that suffice, and if things get REALLY complicated, then I'm looking at being in the situation of setting up a proper DMZ'd dual-firewall fully-proxied network, with, oddly enough, a local non- routable network behind the second firewall. I have two static IP addresses, not one, because there are some things I want to do. I'd take 8, but I missed that promotion, alas. But even if I had an unlimited number of routeable IP addresses, I'd still hide all of my network behind a NAT gateway, and use static non-routable IPs internally. Trying to run fifty servers behind a NAT box is silly, yes. But a home network, or a small business? That's right in the NAT sweet-spot, if you don't give a damn about P2P network protocols (or, apparently, VoIP). [snip] > >and slap 'em up everywhere around the house. Each one can have an IP > >address and a web-server... and I was left thinking "Why is IPv6 a > >good idea again?" > > Because... Well, what _else_ are we going to do with billions of IP > addresses? Generate spam, of course. -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
