[Techtalk] Good firewall configuration tool for debian
devdas at dvb.homelinux.org
Sat Apr 10 00:10:49 EST 2004
On 09/04/04 20:22 +0200, Rudy L. Zijlstra wrote:
> Devdas Bhagat wrote:
> >On 09/04/04 10:18 -0700, Carla Schroder wrote:
> > <snip>
> >>rest are non-routable IPs nicely tucked away behind your NAT
> >>router/firewall. If you have to pay for routable IPs, this saves you
> >Paying for routable IP addresses? There is plenty of IPv4 address space
> >to go around still. Ask your ISP to carry IPv6 instead.
> Tsk, tsk, what an USA attitude. Only the US has IPv4 to spare...
Tsk, Tsk. What a lack of header reading clue. See the originating IP.
> Otherwise things are getting quit scarse.
> for example China is using NAT over NAT at places to keep things working
> because of IPv4 scarcity.
I know. FWIW, I am involved in a lot of networking (as in IP networking)
activity around here.
Using CIDR, the theoretical limits of IPv4 are supposed to about 2019.
Getting rid of NAT would get that down to 2010 at worst.
With proper reallocation of IP space, that could be pushed back to 2019
> Also playing around with IPv4 is for the moment a lot easier than IPv6.
> Linux boxes may all support it, but most networks tend to have some
> other equiment on it as well. And my managed switches are none of them
Most reasonably modern equipment supports IPv6. Or can be upgraded to
something that does.
> IPv6 aware. I love to have managed switches, but hate to pay the price
> when new. So i buy them second hand.
You mean they won't handle IPv6 arp? The management network can stay
IPv4. Of course, you do get cheaper managable switches as well.
> <shrug>. like VPN, can be done over NAT. Though possibly not all VoIP
> packages support it. But only 2 years ago not all VPN packages supported
> NAT, now al of them do. And NAT has learned about VPN.
Painful though. My million dollar question though is: If Carlawants to
call you from behing her NAT to a device which is also NATted, how does
she do it?
> All problems that can be solved with a little thinking and configuring.
> >>Of course the trick with running public services on a dynamic IP is you
> >>need a third-party DNS service, like http://www.dyndns.org/, which lets
> >>you run public servers on a dynamic account.
> >ISP TOS?
> TOS == Type Of Service, at least in network lingo. What is your intention?
Terms Of Service. Those pesky legal things which prohibit the running of
servers on consumer grade DSL/cable.
> Which some ISPs do anyways because they do not have the IPv4 address
> space to cope otherwise.
Of course, they can always get more IP space allocated.
> Or block ports. As mine is doing on SMTP because too many windows boxes
> were becoming open spam relays...
Done correctly, this is a good temporary solution.
More information about the Techtalk