[125969] in North American Network Operators' Group
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast
daemon@ATHENA.MIT.EDU (Jon Lewis)
Tue Apr 27 17:25:56 2010
Date: Tue, 27 Apr 2010 17:25:18 -0400 (EDT)
From: Jon Lewis <jlewis@lewis.org>
To: Valdis.Kletnieks@vt.edu
In-Reply-To: <26157.1272400265@localhost>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 27 Apr 2010 Valdis.Kletnieks@vt.edu wrote:
> That site will manage to chucklehead their config whether or not it's NAT'ed.
True...but when they do it and all their important stuff is in
192.168.0/24, you still can't reach it...and if they break NAT, at least
their internet breaks. i.e. they'll know its broken. When they change
the default policy on the firewall to Accept/Allow all, everything will
still work...until all their machines are infected with enough stuff to
break them.
> Hmm... Linux has a firewall. MacOS has a firewall. Windows XP SP2 or later
> has a perfectly functional firewall out of the box, and earlier Windows had
> a firewall but it didn't do 'default deny inbound' out of the box.
Linux can have a firewall. Not all distros default to having any rules.
XP can (if you want to call it that). I don't have any experience with
MacOS. Both my kids run Win2k (to support old software that doesn't run
well/at all post-2k). I doubt that's all that unusual.
> Are you *really* trying to suggest that a PC is not fit-for-purpose
> for that usage, and *requires* a NAT and other hand-holding?
Here's an exercise. Wipe a PC. Put it on that cable modem with no
firewall. Install XP on it. See if you can get any service packs
installed before the box is infected.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
