On Thu, Oct 02, 2003 at 12:55:38AM +1200, David Zanetti wrote:
> NAT does not what?
NAT does not work with all IP protocols.
> Which is the same effect in address overloaded NAT. There's no
> functional difference between the tables being maintained by
> connection tracking for a non-NAT connection, and connection tracking
> from NAT. Both behave largely the same.
Sigh. No. The NAT state tables aren't keeping state at the same level
as the packet filter, e.g. the NAT state tables don't know anything
about the current connection state of a TCP stream.
The NAT state table can (and often is) merged with the packet filter's
state table, but they are not doing the same task.
If you want to protect machines behind a firewall, NAT is not nearly
enough.
> Never said it did. I believe the question was about protection of
> machines behind the NAT point, not the point itself.
Take your blinders off. If the firewall is compromised, what chance to
the machines behind it have? You need to protect the firewall just as
much, if not more, than the machines behind it.
Cheers,
-mjg
--
Matthew Gregan |/
/| [EMAIL PROTECTED]
