Owen DeLong <o...@delong.com> writes: >> You know that, I know that and (hopefully) all people on this list know >> that. But NAT == security was and still is sold by many people. >> > So is snake oil.
Ack, but people are still buying snake oil too. >> After one of my talks about IPv6 the firewall admins of a company said >> something like: "So we can't use NAT as an excuse anymore and have to >> configure firewall rules? We don't want this." >> > So how did you answer him? To be honest: I don't remember. I got drunk that evening. ;-) > The correct answer is "No, you don't have to configure rules, you just need > one rule supplied by default which denies anything that doesn't have a > corresponding outbound entry in the state table and it works just like NAT > without the address mangling". They used NAT as an excuse not to let some applications to the outside. Jens -- ------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | ------------------- | -------------------------------------------------------------------------