> Keith, I don't get this argument. A NAPT is a firewall by your own > definition "I believe the primary purpose of firewalls should be to > protect the network, not the hosts, from abusive or unauthorized > usage." only if the policy that the user wants is exactly what the NAPT provides. it's unrealistic to assume that most NAPT users do not want to run any apps that accept externally-originated traffic, ever. it's also unrealistic to assume that most threats to the networks are from outside the network, or that any kind of perimeter security will protect a network of significant size from attack.