[Techtalk] Good firewall configuration tool for debian

Carla Schroder carla at bratgrrl.com
Fri Apr 9 11:05:42 EST 2004 

On Friday 09 April 2004 10:38 am, Devdas Bhagat wrote:
> On 09/04/04 10:18 -0700, Carla Schroder wrote:
> > On Thursday 08 April 2004 5:55 pm, Kathryn Andersen wrote:
> > > If/When I move to ADSL... I notice in the listings of ADSL modems, one
> > > could get a plain modem, or one could get a router which has all sorts
> > > of built in stuff including NAT and a firewall.  Is it better to just
> > > set up all that stuff on one's own box, or to use a router?  All I know
> > > about NAT is that some people think it's evil...
> > > 
> > 
> > NAT is lovely, not evil. You have only one exposed public IP address, the
> NAT is evil. It breaks the peer to peer nature of the Internet.

What does that have to do with a user's real needs? NAT is great, and it does 
nothing to harm the "peer to peer nature of the Internet." It's simply a 
different way of routing traffic. For a simple LAN, running no or only a few 
public services, it's fast and easy to set up.

> 
> > Most ISPs will charge extra for a static IP, and if you want more than
> > one, you'll be charged more. With NAT, you only have to pay for one,
> Get a better ISP. Seriously, a clued ISP is worth money.

?? Routable IPs always cost- the ISP has to pay for them, they don't give them 
away. And even if they are having a fire sale, and giving away the store, a 
NAT firewall is still quite useful. It's easy to set up and manage, and gives 
you a lot of flexibility.

> 
> > then run as many servers behind it as you want to. This also gives you
> > flexibility in your LAN, you can muck about and change IPs all you want
> > to, or mess with DHCP, or do anything you want.
> > 
> > On a typical consumer DSL account, where you have a dynamically assigned 
IP, 
> > NAT works just fine. Those lil ADSL modems, like the Linksys Etherfast 
> Until you need to run the same service on different hosts. Or until you
> need to use VoIP. Or use any good p2p technology.

Lots of ifs! We were originally talking about a home network, and a small Web 
server. Network design should be based on actual need, don't you think? 
Rather than theoretical or ideological considerations? 

> <snip>
> > Of course the trick with running public services on a dynamic IP is you
> > need a third-party DNS service, like http://www.dyndns.org/, which lets
> > you run public servers on a dynamic account. 
> ISP TOS?

Um, duh. :) If your TOS permits. Which many do, like mine.
>  
> > so you see, there are many options, and NAT is not evil.  :)
> Until your ISP decides that consumer grade DSL customers should not run
> services and to enforce that by giving you a RFC 1918 IP.

Let's stick with the real world. NAT works, and NAT is not evil. For many 
uses, it is a perfectly good thing. It's just another tool in the network 
admin's toolbox. The only reason to use, or not use it, is dictated by the 
user's actual needs and circumstances. Suppose your ISP gets all cranky and 
says "only business-class accounts may run public services." You can still 
use NAT, if that's what suits your needs.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
this message brought to you
by Libranet 2.8 and Kmail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the Techtalk mailing list