added some clarification.

On Mon, 2011-02-14 at 11:05 -0600, Justin Krejci wrote:
> 
> On Mon, 2011-02-14 at 10:50 -0600, Mark Katerberg wrote:
> > On 02/14/2011 10:45 AM, Justin Krejci wrote:
> > > Explain how NAT does this? NAT simply mangles the IP headers.
> > > A stateful firewall can protect you from port scans and other baddies
> > > without NAT.
> > > 
> > 
> > Yup, you should have that too. NAT just prevents a non-technical user
> > from opening ports 53 and 22 to everyone by accident. User-functionality
> > vs. security trade off again.
> 
> NAT does not prevent them from opening ports to everyone. I've seen this
> happen and done it myself. "Port Forward" sometimes called "Virtual
> Servers". This has nothing to do with NAT.

Let me re-phrase a bit for clarity. NAT does not make it unpossible to
allow packets in to your port 53, 22, etc. A firewall with default
inbound deny policy in place (there should not be any other kind) that
is stateful is really all you need. NAT just gets in the way of stuff
and is not the source of security or protection. As mentioned already,
its only (debatable) benefit is it prolongs the life of IPv4. There are
other drawbacks to NAT as well such as address overlap when dealing with
tunneling from one network to another that is using the same address
space because "its only local to me" is false. In these cases you have
to re-nat to yet another subnet that will not conflict (and continue to
ensure these address blocks are conflict free) unless you NAT back to
public IP address space in which case why use NAT in the first place?

NAT is such a headache.

> 
> > 
> > > It is bad because it has broken protocols, applications, and end-to-end
> > > communications and caused much grief and likely loss of functionality in
> > > various applications because of it, unseen loss of functionality.
> > > I maintain NAT is evil. And even "extending the life of IPv4" is
> > > debatable as a plus for the overall picture.
> > > 
> > 
> > NAT doesn't realistically extend it by more than a week on the small
> > scale it's been rolled out, so I agree it's a non-issue. I do agree that
> > not listing that you are receiving a NAT connection is pretty evil. The
> > user should be aware if they want to be, and there should definitely be
> > an option available for a non-NAT connection, but I do understand the
> > desire to provide NAT by default (see above).
> 
> When I say extend the life of of IPv4, I mean its actual existence at
> all where you can use one public IP and share it amongst 50 or more
> clients vs using 50 or more public IP addresses. This has greatly
> extended the life of IPv4.
> 
> > 
> > 
> > P.S.
> > The top posting is getting a little annoying.
> > 
> 
> Let's not start a battle here.