On 6/8/07, Michael Cozzi <[EMAIL PROTECTED]> wrote: > NAT, for all it's faults, does a decent job of keeping outsiders > from connecting to an internal network. Having access to a true class c > that you can use for lan/wan purposes on face value seems nice. Just because each device has its own public IP address doesn't mean that it isn't behind a firewall. A "default-deny" policy works equally well with or without NAT.
> So be careful here, some guy with good intentions is going to take > your "technically correct" opinions, misconfigure a firewall for 240 > devices on a class c, and 3 million people will have lost their credit > card info- all because some cracker figured out how to script a > dictionary attack through a Logitech Webcam. If someone misconfigures a firewall with NAT, the same problem can occur. Unless I'm mistaken, a two-interface firewall like Shorewall creates will work just fine for routing a whole subnet, and setting rules for each machine behind it, even without NAT. It's not a common setup, because ISPs don't hand out large blocks of IPs, but it's possible. Will ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
