On 12/27/2010 06:58 AM, Marko Vojinovic wrote: > There was a quite large thread on the CentOS list recently about this. > > In a nutshell, the conclusion is that (1) is an urban legend --- NAT *does* > *not* (and moreover, *should* *not* ) shield your inside machines from outside > attacks. You still need to use the proper firewall for shielding. > Thank you for your thoughts ... it really is time for me to learn more! Anyone having NAT has some kind of firewall - they go together - even if its a linksys box. In my case my border firewall is quite extensive ... with plenty of netblocks that are disallowed access to any service whatsoever ... I need to learn more about ip6 - but I assume nf_conntrack works the same way in ip6tables, I suppose routing through (when allowed) versus nat'ing through when allowed are not all that different but they are different... are the security implications obvious ? The firewall is still controlling what is allowed or not ... tho I am sure my understanding of a DMZ needs updating for ip6 .. so much to learn :-) Any suggestions for good guides on ip6 - firewalling - DMZ's - and transition management including setting up ip6-ip4 and ip4-ip6 gateways as may be needed ? > > at the price of breaking functionality. Not sure what 'things' are really broken today in practice by nat - certainly ftp is typically no longer used with separate incoming port tho we do have ftp_conntrack just in case ... Thanks again .. sharing knowledge is very helpful ... ip6 is coming soon'ish and I def. need to prepare ... gene -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
