On Sat, 2007-03-10 at 17:21 -0700, Andy Bradford wrote: > Hogwash. There is nothing inherently more secure, easier to secure or > simpler about NAT (or PAT if you will) than using real IPs with a real > firewall. Sure there are differences, but that doesn't mean that NAT is > king in this area. I would much rather prefer a firewall with a deny all > policy using real IPs than worry about NAT. Both methods block anything > not explicitly allowed, but using real IPs offers a lot more flexibility > in my opinion.
I'm not sure you really read what I said. I did not say that private IP addresses are more secure. Also, let me make this very clear. I AM NOT TALKING ABOUT PAT. I'm talking about one-to-one IP address translation. Why do you insist on bringing up PAT? I'm sorry to sound a bit short, but it seems like many people on the list are not reading what I have said and are just knee-jerk reacting to it because I use the term "NAT." Which term most people associate with way their routers put traffic from a private subnet out onto the internet. While what your linksys does can be called "NAT," it is not the primary purpose of NAT and in fact is NAPT or PAT. I'm not saying Hans should forward a port. I'm saying that there should be a mapping done of one public ip address to *one* private address. This is not masquerading. Translation is something that is very common in the enterprise. It is used in a situation where you have a confluence of public and private IP addresses and you wish to make a DMZ. One important original purpose of NAT is to allow hosts to appear to be on two different subnets simultaneously, in a clean fashion. In fact, NAT in the past, before the proliferation of home networks, typically involved no private IPs at all. Having said that, you are right about using real IP addresses. In fact, NATting a subnet in the way I have suggested is almost exactly the same as using real IP addresses. The only difference here is that the DMZ hosts wish to appear on two different subnets at one time. That adds routing complexities and a greater chance of allowing a host to do something it shouldn't do. In effect you have to have twice as many firewall rules. Hans, for one, understood what I was suggesting, and stated his reasons for not doing it. He has had problems in the past where the IP address (the public ip) was encoded in the packet, causing issues when the IP address is translated. Michael > > Andy /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
