I think that it is important to separate NAT from firewall
functionality. One device may provide both functions. But if the
intent is to provide only a NAT function,, then Keith is right and
transparency needs to be the default.
If the intent is to provide a firewall function then all the
manageability and configuration concerns of a firewall apply.
this ends up trying to specify how a zero-configuration firewall should
work, or how a firewall for a dumb customer should work out-of-the-box.
it's an unreasonable problem because the network is explicitly designed
to be general purpose and to support an infinite variety of
applications, but the fundamental assumption behind such a firewall is
that the firewall can be aware of what is going on in the network and
know whether or not the network behavior it is seeing is reasonable.
the answer to the question of whether the behavior is reasonable is
going to vary widely from one application to another and from one
installation to another. there's no way that the firewall can tell by
looking. even expecting all conversations to be initiated from inside
the firewall is dodgy - partially because there are legitimate apps that
need to not work that way, partially because there are conversations
that involve more than two hosts at a time, partially because there are
occasions when remote hosts are forced to change IP addresses.
Keith
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf