----- Original Message ----- > From: "Jimmy Hess" <mysi...@gmail.com>
> There's no reason for the internet community to re-design every > protocol to allow and > try to function in a NAT environment, for the benefit of a small > number of edge networks, > who want a private castle with hosts on their network not connected > to the internet, > for no reason that has been adequately justified. Justify, yourself in turn, "small number". My personal estimate of the number of NATted edge networks is well north of 75%, on a network count basis. > No one has ever provided me with a serviceable explanation of why a > stateful firewall > is an insufficient method for implementing any desired network policy, > with > regards to limiting accepted traffic to outbound connections for nodes > on an edge network. Complexity of the configuration vastly increases the size of the attack surface: in a NATted edge network, *no packets can come in unless I explicitly configure for them*; there are any number of reasons why an equivalently simply assertion cannot be made concerning the configuration of firewalls, of whatever type or construction. In a firewall, you are *fighting* the default "route this packet" design; in a NATgate, you have to consciously throw the packets over the moat. I've never been clear why this isn't intiutively obvious to the people with whom I have to have this argument. Cheers, -- jra
