From: Greg A. Woods (no email)
Date: Sat Jan 03 2004 - 14:04:04 EST
[ On Saturday, January 3, 2004 at 09:28:34 (-0500), Jim Seymour wrote: ]
> Subject: Re: Acceptance of domain literals
>
> That would be a broken NAT implementation, no?
Or a broken NAT _configuration_.
Even with a really good implemenation, such as IP Filter or PF, it's
incredibly difficult to configure a perfect NAT unless it's for the most
trivial and singular purpose.
Even with a perfect implementation and configuration debugging any kind
of connection problem can be a nightmare.
At least with IPF or PF or similar you can run tcpdump on the outside
interface and see what's really happening.
_I_ can't even get a hub to work between my DSL modem and my firewall
(somehow it won't negotiate a link with either an uplink port or a
normal port, regardless of whether a cross-over cable is used or not).
If my firewall wasn't a host-based firewall running IP Filter I'd be
unable to diagnose many types of problems. How's the average sysadmin
with a linksys or similar black-box toy supposed to do any protocol
analysis?
> I'm glad you qualified that with "almost." ;).
Well of course I qualified my guess about his connectivity. It was
clearly only a guess.
> My DSL provider, for
> example, ships NAT routers with their product. It is business class
> DSL only. (SDSL, IDSL, ADSL) They assign static IP address(es). No
> dynamic IP address assignments. Not only are customers *allowed* to
> run services, it's expected they (probably) will.
Just because they give you the thing doesn't mean you have to use it! ;-)
-- Greg A. Woods +1 416 218-0098 VE3TCP RoboHack <> Planix, Inc. <> Secrets of the Weird <>
|
|
|