On Fri, Jul 08, 2005 at 01:15:42PM -0400, David Andersen wrote: > On Jul 8, 2005, at 12:49 PM, Jay R. Ashworth wrote: > > On Thu, Jul 07, 2005 at 01:31:57PM -0700, Crist Clark wrote: > >> And if you still want "the protection of NAT," any stateful firewall > >> will do it. > > > > That seems a common viewpoint. > > > > I believe the very existence of the Ping Of Death rebuts it. > > > > A machine behind a NAT box simply is not visible to the outside world, > > except for the protocols you tunnel to it, if any. This *has* to > > vastly reduce it's attack exposure. > > Not really. Consider the logic in a NAT box: [ ... ] > and the logic in a stateful firewall:
Sorry. Given my other-end-of-the-telescope perspective, I was envisioning an *on-machine* firewall, rather than a box. Clearly *any* sort of box in the middle helps in the fashion I alluded to, whether it NATs or not. Cheers, -- jra -- Jay R. Ashworth [EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me