[Techtalk] Good firewall configuration tool for debian

Rudy L. Zijlstra rudy at edsons.demon.nl
Fri Apr 9 20:22:06 EST 2004


Devdas Bhagat wrote:

>On 09/04/04 10:18 -0700, Carla Schroder wrote:
>  
>
> <snip>
>
>>rest are non-routable IPs nicely tucked away behind your NAT 
>>router/firewall. If you have to pay for routable IPs, this saves you
>>    
>>
>Paying for routable IP addresses? There is plenty of IPv4 address space
>to go around still. Ask your ISP to carry IPv6 instead.
>
>  
>
Tsk, tsk, what an USA attitude. Only the US has IPv4 to spare... 
Otherwise things are getting quit scarse.
for example China is using NAT over NAT at places to keep things working 
because of IPv4 scarcity.

Also playing around with IPv4 is for the moment a lot easier than IPv6. 
Linux boxes may all support it, but most networks tend to have some 
other equiment on it as well. And my managed switches are none of them 
IPv6 aware. I love to have managed switches, but hate to pay the price 
when new. So i buy them second hand.

>>money. Let's say you want to run some public services, even if it's only
>>for your personal use, like your own mail server, or a little Web server.
>>    
>>
>VoIP?
>  
>
<shrug>. like VPN, can be done over NAT. Though possibly not all VoIP 
packages support it. But only 2 years ago not all VPN packages supported 
NAT, now al of them do. And NAT has learned about VPN.

>  
>
>>Most ISPs will charge extra for a static IP, and if you want more than
>>one, you'll be charged more. With NAT, you only have to pay for one,
>>    
>>
>Get a better ISP. Seriously, a clued ISP is worth money.
>  
>
Yep, though the choices are at times limited. On a cable you generally 
have just the one provider. And here is where mainland Europe actually 
tends to have a better choice than the US of A. At least in Belgium and 
Netherlands you tend to have a choice between cable and several ADSL 
providers in most cities.

>  
>
>>then run as many servers behind it as you want to. This also gives you
>>flexibility in your LAN, you can muck about and change IPs all you want
>>to, or mess with DHCP, or do anything you want.
>>
>>On a typical consumer DSL account, where you have a dynamically assigned IP, 
>>NAT works just fine. Those lil ADSL modems, like the Linksys Etherfast 
>>    
>>
>Until you need to run the same service on different hosts. Or until you
>need to use VoIP. Or use any good p2p technology.
><snip>
>  
>
All problems that can be solved with a little thinking and configuring.

>>Of course the trick with running public services on a dynamic IP is you
>>need a third-party DNS service, like http://www.dyndns.org/, which lets
>>you run public servers on a dynamic account. 
>>    
>>
>ISP TOS?
>  
>
TOS == Type Of Service, at least in network lingo. What is your intention?

> 
>  
>
>>so you see, there are many options, and NAT is not evil.  :)
>>    
>>
>Until your ISP decides that consumer grade DSL customers should not run
>services and to enforce that by giving you a RFC 1918 IP.
>  
>
Which some ISPs do anyways because they do not have the IPv4 address 
space to cope otherwise.

Or block ports. As mine is doing on SMTP because too many windows boxes 
were becoming open spam relays...

>Devdas Bhagat 
>  
>
Rudy Zijlstra


More information about the Techtalk mailing list