On Mon, 2011-02-14 at 10:50 -0600, Mark Katerberg wrote: > On 02/14/2011 10:45 AM, Justin Krejci wrote: > > Explain how NAT does this? NAT simply mangles the IP headers. > > A stateful firewall can protect you from port scans and other baddies > > without NAT. > > > > Yup, you should have that too. NAT just prevents a non-technical user > from opening ports 53 and 22 to everyone by accident. User-functionality > vs. security trade off again. NAT does not prevent them from opening ports to everyone. I've seen this happen and done it myself. "Port Forward" sometimes called "Virtual Servers". This has nothing to do with NAT. > > > It is bad because it has broken protocols, applications, and end-to-end > > communications and caused much grief and likely loss of functionality in > > various applications because of it, unseen loss of functionality. > > I maintain NAT is evil. And even "extending the life of IPv4" is > > debatable as a plus for the overall picture. > > > > NAT doesn't realistically extend it by more than a week on the small > scale it's been rolled out, so I agree it's a non-issue. I do agree that > not listing that you are receiving a NAT connection is pretty evil. The > user should be aware if they want to be, and there should definitely be > an option available for a non-NAT connection, but I do understand the > desire to provide NAT by default (see above). When I say extend the life of of IPv4, I mean its actual existence at all where you can use one public IP and share it amongst 50 or more clients vs using 50 or more public IP addresses. This has greatly extended the life of IPv4. > > > P.S. > The top posting is getting a little annoying. > Let's not start a battle here.