William Herrin (bill) writes: > If your machine is addressed with a globally routable IP, a trivial > failure of your security apparatus leaves your machine addressable > from any other host in the entire world which wishes to send it > packets. In the parlance, it tends to "fail open." Machines using > RFC1918 or RFC4193 space often have the opposite property: a failure > of the security apparatus is prone to leave them unable to interact > with the rest of the world at all. They tend to "fail closed." > > Think of this way: Your firewall is a deadbolt and RFC1918 is the lock > on the doorknob. The knob lock doesn't stop anyone from entering an > unlatched window, opening the door from the inside and walking out > with all your stuff. Yet when you forget to throw the deadbolt, it > does stop an intruder from simply turning the knob and wandering in. >
That's not exactly correct. NAT doesn't imply firewalling/filtering. To illustrate this to customers, I've mounted attacks/scans on hosts behind NAT devices, from the interconnect network immediately outside: if you can point a route with the ext ip of the NAT device as the next hop, it usually just forwards the packets... Phil