On 7/2/07 12:40 PM, "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx> wrote: > The $50 includes the cost of administration. I get the NAT effect for free > when I plug the box in. Turning it off on the other hand requires rather a lot > of thinking for the average user. There's no reason that a default firewall configuration need be any more complicated than a NAT. Somewhat less, actually. But anyway, I think you're muddying the discussion somewhat by framing it in terms of NAT. You're talking about network policy and NAT is not a policy function. NAT workarounds tend to introduce security problems while a decent, usable policy infrastructure would not, or would at least localize them. I think we probably both see the same outcome as desirable but I do think that it's a big mistake to frame the problem as "NAT is good" rather than "default deny is good." Melinda _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf