ietf
[Top] [All Lists]

NAT isn't a firewall Re: harbinger, Re: [midcom] WG scope/deliverables

2001-02-03 11:50:03


Einar Stefferud wrote:
        [..]
had my own home system and discovered that I had no interest in being
totally visible and accessible at all times, especially when I was
not always around to monitor things.

So, now I am very happy behind my little XRouter NAT box, with an ISP
service out there where I can have a login shell  if I wish.

NAT doesn't primarily provide security, a firewall does. A firewall
doesn't have to do NAT. If you dont mind the number of IP addresses
you get from your ISP, install a smart firewall and ditch the NAT
box (or twiddle some config options in your Xrouter... whatever)

        [..]
But, I also note that I choose this because it is good for me
locally, not because I cannot get an IP number for some reason.

You need a firewall. This isn't immediately relevant to a discussion
about the architectural implications of, or reasons for, NAT.

So, much of this argument appears to be based on the simple fact that
IP numbers are scare, and so some companies have chosen to go along
with NATS when they have no other reason than the shortage of
available IP numbers.

If so, then that is the problem to solve and leave those of us who
want NATS alone in our happiness;-)...  Even with IPV6, I would stay
the way I am.

With IPv6 I would hope you'd still want a firewall on your home
connection. But that's not NAT.

cheers,
gja
________________________________________________________________________
Grenville Armitage                    http://members.home.net/garmitage/
Bell Labs Research Silicon Valley