bronson's "wrapup" ignored everything I said about stateful firewall being the solution.
I'd love to see his reaction if I were to take whatever router he uses and configure NAT on it
such that every incoming packet maps back to his internal IP address and then tell the
firewall to allow incoming packets. That is a valid NAT configuration. Some home routers
call it "DMZ" or "Server".
bronson just won't accept that NAT isn't the security, the firewall is the security.
NAT without security can be had (in Linux terms) by pairing SNAT and DNAT rules or using the
Here is IPv6 security without NAT in Linux iptables firewall terms:
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i eth0 -j ACCEPT
ip6tables -A FORWARD -j DROP
Three rules. No NAT. Same security.
What would a hypothetical IPv6 home router call this? Nothing! It would be the default! No
complicated knobs and switches. It cannot get easier!
Explain what I didn't read.
As for bronson not reading me:
I explained how NAT is irrelevant to security. Then in his last response he repeated how NAT
is an effective security policy. It's not. It has nothing to do with security. As I
explained several times!
Then he repeats that he wants IPv6 to provide something better than NAT before getting rid of
NAT. It doesn't need to! It has security through stateful firewall just like current
systems! As I explained several times!