On Wed, 2010-09-08 at 14:25 -0700, John Andersen wrote:
On 9/8/2010 2:03 PM, James Knott wrote:
It's time for you to find a new ISP. NAT is broken in a number of ways. For example, it breaks some protocols and makes it impossible for a user to reach their network from elsewhere. Also, it's possible for an ISP to overload NAT, as each IP address has a limited number of ports that can be remapped. Well, in some ways, making it harder to reach your own net is not totally a bad idea. What you can reach, others can reach, and with a nat-less internet you end up requiring protection in every device.
Golly - NAT IS NOT A SECURITY MEASURE! How many times does that have to be said to sink in?
Desirable perhaps, but not practical.
Why? Firewalls are cheap and abundant. It is extremely practical and [I hope] common practice. It is legally required in many circumstances.
Breaking some protocols, true, ftp is something that was broken from the start and the fact that it does not work well with nat is hardly the end of the world.
NAT is just a pain, and a pointless one.
As for impossible to reach your own net thru nat,
False. Watch any hacker worth his salt blow right through your NAT. NAT is not security. A firewall is security. NAT != Firewall. NAT is at best obfuscation, and it is obfuscation both ways [it breaks apps from inside too, and renders PKI even more difficult than it already is]. Obfuscation is not security, so throw NAT away. NAT is nothing, ***nothing*** , but a hack for IPv4s limit address space. That's it. Nothing else. Just configure a firewall. Easy, done.
I suggest prior planning.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org