As the administrator of several small networks, it is quite simple. By
re-writing the address, the NAT is a defacto default deny. I have a lot
more trust in the simplicity of a basic NAT in a consumer firewall then I
do in any firewall which has to examine each packet for conformance to
complex policy rules.
But, this misses the point I see in Phillips discussion... I read his
ultimate proposal as:
a. Stop bashing NAT, it provides value in the current network and
has prevented a total meltdown which would have happened if every
early OS were directly attached to the internet
b. REPLACE NAT with a default deny infrastructure ... more than
just a single FW choke point.
On Mon, 2 Jul 2007, Melinda Shore wrote:
On 7/2/07 11:14 AM, "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
wrote:
There is no other device that can provide me with a lightweight firewall for
$50.
Of course there is - the same device that's providing the NAT.
NAT by itself is intrinsically policy-free, although it implements
policy as a side-effect. I'm unclear on why you think that a
default-deny policy is better implemented on a NAT than on a
firewall.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf