> >> They *will* fight you, and tell you to your face that if you want to >> take NAT away from them it will be from their cold dead hands. > > And it isn't NAT in and of itself that is attractive. Those people > aren't talking about static NAT where you are just translating the > network prefix. They are talking dynamic port-based PAT so that the > translation doesn't exist until the first packet goes in the outbound > direction. Like it or not, that DOES provide some barrier of entry to > someone outside wishing to initiate a connection from the outside. You > cannot predict in advance what outside address/port will be associated > with which inside address/port or if any such association even exists > and a lot of people have already made up their minds that the breakage > that causes for various things is offset by the perceived benefit of > that barrier and worth the price of dealing with that breakage. > Ah... You've actually just pointed out that it is _NOT_ the NAT that does that, but, the stateful inspection that happens before the NAT.
Stateful inspection can occur and require a matching state table entry to permit inbound packets with or without the header-mangling that we call NAT, NPAT, NAPT, PAT, etc. True, overloaded NAT cannot exist without stateful inspection, but, that's largely irrelevant to security. What is relevant is the need for a good stateful inspection engine with a default-deny-inbound policy. Owen