On 7/2/07 9:14 PM, "David Morris" <dwm@xxxxxxxxx> wrote: > As the administrator of several small networks, it is quite simple. By > re-writing the address, the NAT is a defacto default deny. A lot of administrators feel that way, and I undersatnd why (NAT is basically configuration-free, for the moment). However, for the past 7 years (at least), currently, and for the foreseeable future manufacturers, users, application authors, and standards bodies like the IETF, the ITU-T, PacketCable, and the various 3s are working hard at finding ways to bypass NAT "security" outside of any consideration of policy and without giving the user control of the process. (Control will belong to applications). And incidentally, each of these new NAT bypass techniques introduces new security exposures, some by virtue of the fact that they're bypassing what some people think is security and others by virtue of the fact that they're actually not secure. Good luck to all of us in staying on top of all of them. > I have a lot > more trust in the simplicity of a basic NAT in a consumer firewall then I > do in any firewall which has to examine each packet for conformance to > complex policy rules. "Drop all inbound traffic" is complex? Melinda _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf