Must disagree.
1. Many people use NAT to hide their internal network structure and
make it that much more difficult for crackers. Security through
obscurity is NOT a perfect solution, but a little of it helps,
especially when it's easy. Also, ever tried to send a packet with an
address in the 192.168 range over the internet? They die rather
quickly.
2. Why should I want to fight with the IANA to get 200 addresses, when
all I need is the 16 that my ISP will happily subnet off for me?
3. While NAT based on service may be a bit much to demand as an entry
level firewall feature, many-to-one and many-to-many NAT are very
reasonable demands.
=========================
Paul H. Gracy
[EMAIL PROTECTED]
phone: 404 705 2873
#include <std.disclaimer>
=========================
> -----Original Message-----
> From: Paul Krumviede [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, January 14, 1999 12:12 AM
> To: [EMAIL PROTECTED]
> Subject: Re: OS Platform for firewall (...the answer is..)
>
> Curtice Hardy wrote:
> >
> > Well, that would depend.... I would say that it should support the
> > following(Out of the box, without any addons....
> >
> > 1. Advanced NAT (One to one, One to many, And in todays world even
> NAT
> > based on service) Also, it Shouldn't be a problem to forward
> > services to
> > inside NON-Windows(Read Unix servers).
>
> As far as I'm concerned, NAT is an evil idea, and I'd avoid systems
> that do it. If I really want to use it, I'll turn it on. I accept
> that others may think differently, but any discussion of core
> functionality should not add extras (and note that many people
> want or use NAT to either avoid arguing with ARIN or RIPE or
> APNIC about how many addresses they need or because they don't
> want to renumber).
>
> -paul
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
