On 6/8/07, Henrique Cesar Ulbrich <[EMAIL PROTECTED]> wrote: > When I say "bypass", I wasn't being that specific. I was just saying that > there are ways to avoid the firewall by using some other path. If these ways exist, then this isn't a problem with NAT or no NAT - it's independent. If I open port 22 to my home box, and allow root access, I leave myself open whether NAT is on or not. The firewall and NAT features are related, in that they are in the same part of the kernel, but in terms of features they're independent.
> This doesn't mean that NAT is a bad thing. > If, for instance, a software failure, bug or operator mistake happens and the > firewall rules are shut off, NAT would still be a temporary security layer. "Temporary security" is even worse than no security at all. If the firewall rules get shut down, the default of the OS should be to drop the packets (not route them)... but even so, if it's a concern, run two or three layers of firewalls. They're cheap, especially if they don't need to do NAT. > ALSO, real IPs cost money. Even with IPv6, they will still cost money - maybe > less money, but money indeed. RFC1918 addresses are for free. What I've heard (rumored) is that ISPs will hand out /64 blocks of IPs. The low 48 bits of that will be your machine's MAC address, leaving 16 bits of routeable space. Thus, "cheap" would be the word for real IPs. Even if they only handed out smaller blocks, I can't imagine any ISP so stingy as to hand out single IPs when they are so cheap. Will ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
