on 6/18/2003 10:44 PM Valdis.Kletnieks@vt.edu wrote: >> Melinda Shore <mshore@cisco.com> writes: >> None of these things worked real well through firewalls either, which >> is sort of my point. > If it doesn't work through a firewall, it's because the firewall is > doing what you ASKED it to do - block certain classes of connections. > > If it doesn't work through a NAT, it's because the NAT is FAILING to do > what you asked it to do - allow transparent connections from boxes > behind the NAT. Exactly. I can tell a firewall to get out of the way (stupid as that may be in some cases) and the application protocols will function as designed and expected. I cannot tell a NAT to do that, but instead must first educate the vendor about the protocol that's being blocked, wait for them to do their market research and/or prioritize the application among their Great List of Applications They Have Broken, and then maybe one day get a patch that actually spoofs the protocol well enough for it to work with a middlebox in the way. There are some (very few) exceptions to the latter routine, but that's the usual dance. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/