Once upon a time, Roger Marquis <marq...@roble.com> said: > Address conservation aside, the main selling point of NAT is its filtering > of inbound > session requests. NAT _always_ fails-closed by forcing inbound connections > to pass > validation by stateful inspection. Without this you'd have to depend on > less > reliable (fail-open) mechanisms and streams could be initiated from the > Internet at > large. In theory you could enforce fail-closed reliably without NAT, but > the rules > would have to be more complex and complexity is the enemy of security.
NAT == stateful firewall + packet mangling. You can do all the same stateful firewall bits and drop the packet mangling quite easily (it is certainly not "more complex" to not mangle packets). -- Chris Adams <cmad...@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
