> NAT and stateful firewall are separate things NAT is just one policy a stateful firewall can implement. I wouldn't call that separate. > NAT is irrelevant to security NAT is the single easiest to use policy on firewalls shipping today. And it's disturbingly effective. That makes it quite relevant to security doesn't it? As I've said on this very thread, I loathe NAT. I really hope IPv6 will do away with it. And, again, here's the point: before it can, IPv6 needs to provide something better. Something even more secure and even easier to administer.  In the last 15 years of watching IPv6 gestate, I haven't seen any work on this front (I don't follow v6 very closely anymore so it's entirely possible I've missed it; tell me if I have). Maybe papers have been written, specs hammered out, names and policies standardized, and Cisco/Linksys, F5, BI, Foundry, NS, etc are all in agreement. Maybe working software even exists. If not, though, I'm afraid IPv6 has a lot of catching up to do. It doesn't matter how advanced something is, it's worthless if it's not usable by the people deploying it. That's why NAT is so popular. And *that* is where IPv6 needs to do better. Just dismissing NAT as teh sux is to miss why it's been so successful. (Hint: the IPv4 shortage is not even an issue yet). At this point, I feel like I've repeated myself again and am well on my way to looping back for fourths. If my point still not clear, I apologize. - Scott  NAT is pretty much optimal as far as ease of administration: on / off. Things go bad if you need to transit weird protocols like SIP or non-PASV FTP of course. That's where IPv6 will really shine... if and when the industry starts making easy to use IPv6 firewalls.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds