On Wed, 23 Feb 2011, Andrew McGlashan wrote: > An unpatched machine [for whatever reason], behind NAT has a > fighting chance, but one which is directly addressable from the
The protection offered by NAT is equivalent to a statefull firewall that only allow sessions to be initiated by the inside[1] Only, a firewall is likely to do a better job of securing the network than a NAT gateway. Nobody ever proposed directly attaching networks to the wide internet without border protection. That has nothing to do with NAT. And that "unpatched machine" has no fighting chance at all, NAT or no NAT, unless: 1. none of its inside neighbours will attack it 2. all the upgrade paths are safe 3. nothing else is done while it is upgrading itself. (2) can be quite difficult if any of the important software wants to open a browser, and there are ads in the pages for example. (3) depends on user awareness. [1] iptables -I FORWARD -i <external interface> -m conntrack --ctstate NEW -j DROP (or something like that). -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110223193636.ga13...@khazad-dum.debian.net