JB> Date: Wed, 29 Oct 2003 15:27:27 -0600
JB> From: Jack Bates
JB> I think the point that was being made was that NAT allows the
JB> filtering of the box to be more idiot proof. Firewall rules
JB> tend to be complex, which is why mistakes *do* get made and
JB> systems still get compromised. NAT interfaces and setups
JB> tend to be more simplistic, and the IP addresses of the
JB> device won't route publicly through the firewall or any
JB> unknown alternate routes.
NAT "security" is a byproduct of NAT's stateful filtering. One
can accomplish the same effect with
check-state
allow ip any any recv internal0 keep-state
deny ip any any
Such a default fw config would be equally idiot-proof with no IP
obfuscation.
Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_________________________________________________________________
DO NOT send mail to the following addresses :
[EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.
