On Mon, 2011-02-14 at 11:17 -0600, Florin Iucha wrote: > On Mon, Feb 14, 2011 at 10:45:39AM -0600, Justin Krejci wrote: > > Explain how NAT does this? NAT simply mangles the IP headers. > > A stateful firewall can protect you from port scans and other baddies > > without NAT. > > If an attacker can't know your IP address, they can't connect to it. If an attacker knows your IP address and you block access, they can't connect to it. > > > It is bad because it has broken protocols, applications, and end-to-end > > communications and caused much grief and likely loss of functionality in > > various applications because of it, unseen loss of functionality. > > Facebook? Google? Flickr? Netflix? Websites only? How much cruft has been added to web browsers and webapps to help identify individual users? How many extra software bugs? End users are paying the price by having increased complexity all over the place that affects businesses (particularly network operators like ISPs) as NAT adds overhead to network devices and humans to maintain. The venerable FTP and SIP don't like NAT. NAT is such a fundamental part of so many things these days but has about zero benefit. What about the requirement of having some third party broker connections between NAT'ed hosts for the average lay person? > > It is bad for *you* and *me*, but not for average Joe. Average Joes > vastly outnumber us. Unless we come up with a killer app that AJ > cares about and is broken by IPv4 NAT, then the ISPs will march > forward. Eventually they will run out of money to buy routers > (because of the 64K ports per IPs) but that's next year, not this. My point is not that nothing works with NAT, it is that it has added unnecessary complexity and overhead for about zero gain. Developer code overhead, administrative overhead/complexity, more QA requirements, etc. Just because something can be "worked around" doesn't mean we should have no concern that it is there at all. Should we not bother with the fundamental flaws and just carry on because we have a work around in place? > > > I maintain NAT is evil. And even "extending the life of IPv4" is > > debatable as a plus for the overall picture. > > I do not maintain that NAT is beautiful for everybody all the time. > But 'evil' is a loaded term that should be reserved for special occasions. How is NAT ever beautiful for anyone? I don't claim there is no place for NAT but it is not beautiful and let's not confuse NAT with security. Turn off NAT and your stateful deny-default policy firewall still blocks all the same packets just as well.