On 6/8/07, Henrique Cesar Ulbrich <[EMAIL PROTECTED]> wrote: > Historiadores acreditam que, > em Sex 08 Jun 2007, Will Murnane disse: > > Just because each device has its own public IP address doesn't mean > > that it isn't behind a firewall. A "default-deny" policy works > > equally well with or without NAT. > > You REALLY trust your firewall, don't you? Yes. Do you not trust yours? If your firewall lets packets through it's not supposed to, I think it's time to find a new one!
To be clear, I'm not suggesting letting all of your machines be plugged into a switch that goes directly to the internet. That would lose you many advantages of having your own network - controlling DHCP, DNS, content filtering, and so forth - but when all the machines are going through one router, their security (aside from any filtering they themselves run) is dependent on how good the firewall is, not whether it does NAT or not. If your firewall drop rule fails, as Michael suggests, you have bigger problems than whether NAT is on or not. Will ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
