As the administrator of several small networks, it is quite simple. By
re-writing the address, the NAT is a defacto default deny. I have a lot
more trust in the simplicity of a basic NAT in a consumer firewall then I
do in any firewall which has to examine each packet for conformance to
complex policy rules.
But, this misses the point I see in Phillips discussion... I read his
ultimate proposal as:
a. Stop bashing NAT, it provides value in the current network and
has prevented a total meltdown which would have happened if every
early OS were directly attached to the internet
b. REPLACE NAT with a default deny infrastructure ... more than
just a single FW choke point.
On Mon, 2 Jul 2007, Melinda Shore wrote:
> On 7/2/07 11:14 AM, "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx> wrote:
> > There is no other device that can provide me with a lightweight firewall for
> > $50.
>
> Of course there is - the same device that's providing the NAT.
>
> NAT by itself is intrinsically policy-free, although it implements
> policy as a side-effect. I'm unclear on why you think that a
> default-deny policy is better implemented on a NAT than on a
> firewall.
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf