the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

Owen DeLong owen at delong.com
Tue Apr 27 22:24:47 UTC 2010


On Apr 27, 2010, at 2:25 PM, Jon Lewis wrote:

> On Tue, 27 Apr 2010 Valdis.Kletnieks at vt.edu wrote:
> 
>> That site will manage to chucklehead their config whether or not it's NAT'ed.
> 
> True...but when they do it and all their important stuff is in 192.168.0/24, you still can't reach it...and if they break NAT, at least their internet breaks.  i.e. they'll know its broken.  When they change the default policy on the firewall to Accept/Allow all, everything will still work...until all their machines are infected with enough stuff to break them.
> 
Nah... They'll chucklehead forward something to 135-139/TCP on the box with all the important stuff just fine.
NAT won't save them from this.

>> Hmm... Linux has a firewall.  MacOS has a firewall. Windows XP SP2 or later
>> has a perfectly functional firewall out of the box, and earlier Windows had
>> a firewall but it didn't do 'default deny inbound' out of the box.
> 
> Linux can have a firewall.  Not all distros default to having any rules. XP can (if you want to call it that).  I don't have any experience with MacOS.  Both my kids run Win2k (to support old software that doesn't run well/at all post-2k).  I doubt that's all that unusual.
> 
And the rest of the world should pay for your kid's legacy requirements why?

>> Are you *really* trying to suggest that a PC is not fit-for-purpose
>> for that usage, and *requires* a NAT and other hand-holding?
> 
> Here's an exercise.  Wipe a PC.  Put it on that cable modem with no firewall.  Install XP on it.  See if you can get any service packs installed before the box is infected.
> 
1.	Yes, I can.  I simply didn't put an IPv4 address on it. ;-)
2.	I wouldn't hold XP up as the gold standard of hosts here.

Owen





More information about the NANOG mailing list