I agree that separating out the NAT and firewall functions is useful and necessary. Even if the two functions are performed by the same box they should be considered separately. I don't think that the idea of zero configuration firewalls should be dismissed. A firewall is simply a policy enforcement point, usually located at the border where the network meets the Internetwork. First people have the model wrong, ask not how you can protect yourself from the Internet, ask how to protect the Internet from you. There are huge numbers of insecure machines connected to the Internet. And yes, even Linux machines are vulnerable. Your desktop may be patched against the latest attacks but you probably have a machine used as a printer/file/DNS server sitting in the corner that has not had any maintenance for three years. A reverse firewall with simple protection rules to protect the Internet from a rogue server should be part of the default configuration of every gateway device. Let people turn it off if their use model requires it. But very very few people need to have a machine that has a use signature that remotely resembles a DDoS bot or a spambot. Eventually I am going to persuade one of the major ISPs to make such a feature a requirement in the cable modems / wifi routers / dsl modems they buy. I am pretty sure that failing to do so would constitute negligence - certainly the Hands formula indicates a duty of care here. In the future every NIC, router, hub and wifi access point will be a policy enforcement point. Policy configuration on the enforcement device is going to be impractical. The obvious solution is to use a standards based protocol such as SAML/XACML to encode the rules, sign them and distribute them to the enforcement points. There is no reason why this should not be possible in the home environment. If we start by assuming that there is some form of trustworthy hardware, that cannot be stomped on by malicious code it becomes obvious that the network config can be made plug and play. The only thing the user has to do is to decide what applications can and cannot connect up to the network and/or Internetwork and the uses to be made. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf