I don't believe that many networking people believe "Firewalls are evil." Now, *stupid* firewalls are evil: I'm tired of running into routes that blindly drop ECN or TCP windows because they are mangling packets for "security." NAT *is* evil and should die. It's a hack. The security you like about "NAT" is the anonymity and rejecting unrequested incoming packets. The semi-random anonymous IPv6 IPs that Microsoft and others have adopted provide the same anonymity benefits and the "security" provided by NAT is nothing more than stateful firewalling. NAT did force home gateway/firewall vendors to provide stateful firewall because many-to-one NAT cannot be done without it, but in NAT itself there's no security there. Using "NAT" for security is also a misuse of terms. NAT does include many to one, but it also includes one to many, many to many, and even IP to IP, port to port translation so that 192.168.1.1:25 connects to 192.168.2.1:25 without blocking any packets at all. There's no security in such a mapping even though it is NAT all the way.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds