[125970] in North American Network Operators' Group
Re: the alleged evils of NAT,
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Apr 27 18:31:23 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <Pine.LNX.4.61.1004271718210.5148@soloth.lewis.org>
Date: Tue, 27 Apr 2010 15:24:47 -0700
To: Jon Lewis <jlewis@lewis.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 27, 2010, at 2:25 PM, Jon Lewis wrote:
> On Tue, 27 Apr 2010 Valdis.Kletnieks@vt.edu wrote:
>=20
>> That site will manage to chucklehead their config whether or not it's =
NAT'ed.
>=20
> True...but when they do it and all their important stuff is in =
192.168.0/24, you still can't reach it...and if they break NAT, at least =
their internet breaks. i.e. they'll know its broken. When they change =
the default policy on the firewall to Accept/Allow all, everything will =
still work...until all their machines are infected with enough stuff to =
break them.
>=20
Nah... They'll chucklehead forward something to 135-139/TCP on the box =
with all the important stuff just fine.
NAT won't save them from this.
>> Hmm... Linux has a firewall. MacOS has a firewall. Windows XP SP2 or =
later
>> has a perfectly functional firewall out of the box, and earlier =
Windows had
>> a firewall but it didn't do 'default deny inbound' out of the box.
>=20
> Linux can have a firewall. Not all distros default to having any =
rules. XP can (if you want to call it that). I don't have any =
experience with MacOS. Both my kids run Win2k (to support old software =
that doesn't run well/at all post-2k). I doubt that's all that unusual.
>=20
And the rest of the world should pay for your kid's legacy requirements =
why?
>> Are you *really* trying to suggest that a PC is not fit-for-purpose
>> for that usage, and *requires* a NAT and other hand-holding?
>=20
> Here's an exercise. Wipe a PC. Put it on that cable modem with no =
firewall. Install XP on it. See if you can get any service packs =
installed before the box is infected.
>=20
1. Yes, I can. I simply didn't put an IPv4 address on it. ;-)
2. I wouldn't hold XP up as the gold standard of hosts here.
Owen
