the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

Jon Lewis jlewis at lewis.org
Tue Apr 27 21:25:18 UTC 2010


On Tue, 27 Apr 2010 Valdis.Kletnieks at vt.edu wrote:

> That site will manage to chucklehead their config whether or not it's NAT'ed.

True...but when they do it and all their important stuff is in 
192.168.0/24, you still can't reach it...and if they break NAT, at least 
their internet breaks.  i.e. they'll know its broken.  When they change 
the default policy on the firewall to Accept/Allow all, everything will 
still work...until all their machines are infected with enough stuff to 
break them.

> Hmm... Linux has a firewall.  MacOS has a firewall. Windows XP SP2 or later
> has a perfectly functional firewall out of the box, and earlier Windows had
> a firewall but it didn't do 'default deny inbound' out of the box.

Linux can have a firewall.  Not all distros default to having any rules. 
XP can (if you want to call it that).  I don't have any experience with 
MacOS.  Both my kids run Win2k (to support old software that doesn't run 
well/at all post-2k).  I doubt that's all that unusual.

> Are you *really* trying to suggest that a PC is not fit-for-purpose
> for that usage, and *requires* a NAT and other hand-holding?

Here's an exercise.  Wipe a PC.  Put it on that cable modem with no 
firewall.  Install XP on it.  See if you can get any service packs 
installed before the box is infected.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




More information about the NANOG mailing list