Re: [arin-announce] IPv4 Address Space (fwd)

["E.B. Dreger" <eddy+public+spam () noc everquick net>]

JB> Date: Wed, 29 Oct 2003 15:27:27 -0600
JB> From: Jack Bates


JB> I think the point that was being made was that NAT allows the
JB> filtering of the box to be more idiot proof. Firewall rules
JB> tend to be complex, which is why mistakes *do* get made and
JB> systems still get compromised.  NAT interfaces and setups
JB> tend to be more simplistic, and the IP addresses of the
JB> device won't route publicly through the firewall or any
JB> unknown alternate routes.

NAT "security" is a byproduct of NAT's stateful filtering.  One
can accomplish the same effect with

        check-state
        allow ip any any recv internal0 keep-state
        deny ip any any

Such a default fw config would be equally idiot-proof with no IP
obfuscation.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_________________________________________________________________
          DO NOT send mail to the following addresses :
  blacklist () brics com -or- alfra () intc net -or- curbjmp () intc net
Sending mail to spambait addresses is a great way to get blocked.