[Techtalk] Good firewall configuration tool for debian

Meredydd meredydd at everybuddy.com
Fri Apr 9 22:33:17 EST 2004 

On Friday 09 April 2004 18:38, Devdas Bhagat wrote:
> NAT is evil. It breaks the peer to peer nature of the Internet.
What happens if you don't *want* to be a peer? What is disabling all 
services on a machine if not stopping being a peer? Why not take the 
belt-and-braces approach, and ensure that even if you (or a user) left 
something open, you *cannot* be a peer?

> > rest are non-routable IPs nicely tucked away behind your NAT
> > router/firewall. If you have to pay for routable IPs, this saves
> > you
>
> Paying for routable IP addresses? There is plenty of IPv4 address
> space to go around still.

> Ask your ISP to carry IPv6 instead. 
...as long, that is, as you don't mind having your face laughed in. Or 
being unable to contact large sections of the internet without going 
through - oh, wait, that horrible evil that is NAT. Damn.

> > money. Let's say you want to run some public services, even if it's
> > only for your personal use, like your own mail server, or a little
> > Web server.
>
> VoIP?
www.gnomemeeting.org. Check their NAT section in the FAQ - as long as 
you have a smart enough client, port forwarding works (and hey, your 
alternative solutions are implying significantly more costly decisions 
than choosing a particular, Free, VoIP application).

> > Most ISPs will charge extra for a static IP, and if you want more
> > than one, you'll be charged more. With NAT, you only have to pay
> > for one,
>
> Get a better ISP. Seriously, a clued ISP is worth money.
Uhmm...for $DEITY's sake, why? Yeah, ok, there's slightly better 
service, but why should you *have* to pay for it when there's a 
prefectly good solution out there? Besides, charging  extra for static 
IPs isn't a lack of clue, it's good economic sense - it's a service for 
which people will pay, so charge them. They're not charities.

> > then run as many servers behind it as you want to. This also gives
> > you flexibility in your LAN, you can muck about and change IPs all
> > you want to, or mess with DHCP, or do anything you want.
> >
> > On a typical consumer DSL account, where you have a dynamically
> > assigned IP, NAT works just fine. Those lil ADSL modems, like the
> > Linksys Etherfast
>
> Until you need to run the same service on different hosts.
In which case, you're *way* out of the cachement for this scenario, and 
you fork out for the extra static IPs, or for an ISP (is there such a 
beast?) who will just give them away to you.
> Or until you need to use VoIP.
GnomeMeeting, LinPhone, CUCMe(I think...)
> Or use any good p2p technology. 
There are workarounds, besides which one does not always need this 
stuff. It may involve tradeoffs, but it's not "evil".

> > Of course the trick with running public services on a dynamic IP is
> > you need a third-party DNS service, like http://www.dyndns.org/,
> > which lets you run public servers on a dynamic account.
>
> ISP TOS?
> > so you see, there are many options, and NAT is not evil.  :)
>
> Until your ISP decides that consumer grade DSL customers should not
> run services and to enforce that by giving you a RFC 1918 IP.
...at which point, the whole enterprise is moot. Yes, that *would* be 
evil, because it would force NAT upon you without any of the advantages, 
and without allowing you to avoid/mitigate the disadvantages.

Meredydd

More information about the Techtalk mailing list