On Wednesday 29 December 2010 01:11:00 Bill Davidsen wrote: > Marko Vojinovic wrote: > > On Sunday 26 December 2010 22:11:17 you wrote: > >> On 12/26/2010 02:40 PM, Marko Vojinovic wrote: > >> Historically, we used nat for 2 purposes: > >> (1) to shield inside machines > >> (2) free up ipv4 (was an accidental consequence of (1) > > > > In a nutshell, the conclusion is that (1) is an urban legend --- NAT > > *does* *not* (and moreover, *should* *not* ) shield your inside machines > > from outside attacks. You still need to use the proper firewall for > > shielding. > > > > The only benefit of NAT is (2), ie. artificially enlarging the scope of > > available v4 IP numbers, at the price of breaking functionality. And this > > is not a consequence of (1), but rather the primary reason why NAT was > > introduced in the first place. > > Clearly you have little understanding of the other uses of NAT, one of > which is connect redirection. For instance, when I get a connect to an IP > and port, it allows me send the connection to some machine inside the > firewall without having to have the rest of the machine ports available or > the "real" IP visible. You don't need NAT for this. Just configure the firewall to drop all nonestablished incoming packets to that machine's IP, except those on that specific port. This has nothing to do with visibility of the IP of that machine. Btw, you need the firewall anyway, so why having to maintain both NAT and firewall, when you can maintain just the firewall? > I realize that somehow you have convinced yourself > that not allowing everyone on Earth to bang on every machine somehow is > bad or unnecessary, I never said anything like that, nor am I convinced that is true. You realized wrong. > and that every machine running every OS can somehow be > protected by a firewall, Why not? Just implement the firewall instead of the NAT at your gateway, and you are done. I bet that the firewall is actually already there, working along with NAT (unless you have disabled it on purpose, which would be a bad idea anyway). This is the most common configuration these days, AFAIK. > but in practice this doesn't work most of the > time. What is possible in theory with a perfect firewall doesn't happen > and/or take a huge investment in effort and auditing to approximate. This is just FUD. How much time takes to implement NAT yourself? Have you ever tried it, or have you just used a preconfigured NAT implementation in your router? Routers come with a preconfigured firewall as well, for users who don't want to bother doing it manually. I see absolutely no serious investment in effort and auditing of a firewall. It's as easy to implement as NAT. And it's already there, in most of the networking hardware one can buy these days, preconfigured for most common usecases. > NAT can even be used for load balancing including fail-over, and again > there are other ways, but little to be gained by doing it at lower levels. If NAT were seriously useful for these things, people would use it for that purpose. As you may know, NAT can be implemented also with *public* IP's --- the internal address does not need to be a local, non-routable one. But I've never ever see anyone implement NAT over public IP's just to deal with fail-over and load-balancing. This is always done within dns configuration, the round-robin method being the most elementary (and crudest) way. The only usage of NAT I've ever seen is artificial increase in the IP pool. And that's precisely the reason why it has been designed, and also why it will become obsolete once IPv6 becomes dominant. > Please understand which problem set is most simply solved by NAT (or > anything else you suddenly decide is obsolete). IPv6 solutions will > undoubtedly be different, but don't just make a generalization because you > want it to be true. You know, it is possible to implement NAT under IPv6, too, if you can find a meaningful purpose for it. Let's wait and see how many people will find it necessary or at least useful for anything, once everyone obtains a /64 segment of v6 addresses. My bet is that in 20 years noone will even remember the concept of NAT, let alone implement it anywhere... HTH, :-) Marko -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines