On Sat, 21 Jun 2003, S Woodside wrote: > On Saturday, June 21, 2003, at 08:17 PM, David Morris wrote: > > > Based on policies that reject inbound > > connections to all computers except those carefully hardended and > > sequestered an their own 'DMZ' will dramatically reduce the potential > > of > > compromize from many risky applications ranging from TELNET on Solaris > > to > > SMB on Windows. > > It would be just as hard to traverse that firewall, then (for voice), > as it would be to traverse a NAPT, no? In the case of the product I use, 'NAPT' is a default behavior, but alternate configurations are possible including no NAT. Opening inbound connections to arbitrary hosts is always a risk since there are many reasons that one can't trust the security status of desktop machines for at least some percentage of the user population. I'm certainly not ready to allow connection to any application I know of from outside of my firewall when I can't control the machine. So I guess my short answer is I hope so. Dave Morris