> > similarly, people who install NAT usually don't realize how much this > > costs them in lost functionality and reliability. > Really? You have evidence of this? the evidence I have is from reading vendor advertisements for NAT boxes, and from talking to people who run networks that use NAT. it's not a random sample, perhaps not a statistically significant one, but it's been enough to convince me personally that the delusion is widespread. > I don't either, but my intuition is that you're wrong. Once you have > decided to have a firewall in place (which you may think is evil, but > I consider pretty much a necessary evil), I suspect that most people > suffer almost not at all from having a NAT. depends on what you mean by "firewall" (which these days is a pretty vague term). but there are several primary effects of NAT - one being that addresses are not maintained end-to-end, another being that NATs cause address-to-host bindings to be ephemeral when they would otherwise not be, and another being that (for NAPTs anyway) attempts to initiate traffic across the NAPT are blocked in one direction. there is rarely a significant benefit in a firewall doing the first two of these. a good firewall has the capability to block traffic in either direction, or not, on a case-by-case basis, and can be adjusted according to the needs of its users.