Oddly enough, what you describe as not using NAT, looks like NAT, one ip for the router, you could've said that there isn't an ip on the router's ports(which would make sense also because what is going on in that area uses ports and isn't routing!). Infact, it looks like NAT and PAT !
Furthermore, In the system you describe, a machine on the LAN or on the DMZ would still need a unique ip address though, distinct from the firewall-router appliance.
If the computers (on the DMZ or LAN ) had private addresses, then it really looks like NAT now!
If a DSL user doesn't have one of these firewall-router appliances, then in that instance, would he need 2 different public ips, one for his router and one for his computer ?
Then their DSL service does provide a public IP. Their router gets it.
NAT is a cheap way to shield you from the outside world but if you have UPNP disabled and good security practices you shouldn't need super fancy expensive protection. The PC-Cillin you can get from work should be adequate protection since that will protect both directions, where as the windows firewall is only one way. NAT is more than a one way filter. It allows multiple computers to appear to have one public IP instead of multiple IPs. With the proper subnet mask you can control access.
At this point, I don't understand you since have stopped addressing the problems i've mentioned.
I really can only understand that which I recognise as technically correct. *for example *
I have no idea what you mean when you say that with NAT, "their DSL service doesn't provide a public ip". I know what that statement would mean - technically, and i'd say it's wrong, the 'dsl service' does provide a public ip, and that ip goes to the router. I know you know that, and that you you don't mean that. But I still don't know what you do mean. (By me pointing that out, it didn't mean that I was telling you some basic point. But it makes it fairly clear why I don't know what you mean)
Similarly with the other issue we discussed, where I wrote an objection. You discussed a system which you said didn't use NAT. But to me , a router with one ip forwarding to different physical ports based on tcp port, looks like NAT and PAT. Almost a textbook case of it.
I can only read what you're writing in a technical way, without reading things in. It's not because i'm trying to be difficult. But I haven't physically seen the different systems that you have. My understanding is based on a technical reading of the word you write.
If you would address the objections then I might understand you. If you quit then I won't. At least now your posts are archived, you won't have to repeat yourself. I don't see relating to technical queries one knows, as difficult. It's more difficult to turn this into get into a discussion where you claim i'm trying to be difficult, and respond that i'm not. To have such a discussion would make things more difficult.
As you can see, judging by the amount i've had to write to give you as complete an answer as possible. But i'd rather discuss the technical aspects, and what you mean. Not this philosophical point that i'm sure you too feel leads nowhere. At least technical discussion would've/ would led/lead somewhere , if you had/do persued/persue it.
As I said. There's no harm. You don't have to worry about having to repeat yourself, as people do so often in this newsgroup. Things are archived.
You'll notice the technical discussion was short and sweet, only a succinct line or paragraph. No reason to leave that for a non- technical philosophical marathon . I hope we can now leave discussion of the response to the philosophical question you asked, and get back to the concise technical discussion we were having.
Ok, depending on the level of the person I try and word my text accordingly - so I may not have presented it the way that you needed it.
When I said: "their DSL service doesn't provide a public ip". it means that the User, directly connected to the ISP's device, does not get a Public IP at their device and that the ISP device is providing a non- routable private IP to them. So, for their purpose, they don't have a public IP as the inbound in blocked like every other cheap NAT Router.
If the Firewall has the same IP on all jacks, then it's not NAT.
As an example, I can have 16 IP on the WAN jack of my firewall, the same
16 IP are on the DMZ and LAN jacks of the same firewall. The connection between WAN>LAN or WAN>DMZ is routing, not NAT, and is controlled by firewall rules.
From the LAN I can take a public IP and connect it to a NAT Router and provide my internal LAN with a private IP scheme.
In some cases, speed, a Drop-In configured device will be faster than one that does NAT - think of a Web Farm behind a firewall - they don't need private addresses for the web servers, they use public IP on the server NIC's and let the firewall do it's job without doing NAT.
There are cases where I might want to put a firewall between two departments, on the same network, with the same subnet, but block all nodes from the nodes in Accounting - a drop-in firewall works great here, no nat, same subnet, transparent except for the blocking rules.
In the case of most small businesses and home users, a Drop-In (or 1:1 NAT) is not going to work well, they don't have the additional hardware and want to share a single IP with multiple devices, so traditional NAT devices work great.
So, again, some DSL providers provide a device that implements NAT to the customer, so the customer never sees a public IP for their hardware, others provide no-nat and the customer is directly connected to the public IP.
I understand you now, didn't before, that's why I asked. I'm ok if you are.
I hope I explained it above well enough, if not, just let me know where I missed the mark for you.
Several people in this group (including myself) have already tried to explain to him what you are trying to explain here. Without any success. Don't bother, it's just a waste of your time.
ok. I see. Makes sense now you mention using NAT Routers connected to it. so you didn't mean no NAT in the system. just no NAT in the firewall appliance thing.
indeed..Though when I said about 'no nat' I meant, examples of no NAT anywhere.
I haven't seen a DSL user with such a device. - maybe a PCI DSL modem
- maybe, I can't remember, though I suspect that they, or that one I had, gave a private ip too actually.
Even the router/modems with one LAN port, tend to do NAT! (with the DHCP server, handing out its 1 ip, to the NIC/NI of the device/comp connected)
I thought you had seen such examples and wondered if you could link me to them. or name them ?
By the way., what is an example of make/model of such a firewall appliance that can do so-called routing amongst its physical ports all of whome have the same ip?
can that firewall appliance sort of routing thing be used in a system with no NAT at all? If the physical ports have ips then I think not. 'cos that'd be the only ip available on each physical port's subnet
you mentioned about ISPs making NAT mandatory. But, when it comes to DSL, who doesn't?
Your firewall appliance thing is designed for a NAT situation, as you said, NAT routers are connected to it.
ok, you have a different way of thinking to me. I'd think of 'the router/modem' as the user's hardware too, and they can see its public ip by going to
And I can't keep going around in circles with you.
NAT does not have to be used anywhere in the networks, you could have all computers on a PUBLIC IP and still be protected by a firewall setup in Drop-In mode.
So, I could be assigned a c-block, have my firewall setup in Drop-In mode, and all my PC's could use public IP's assigned to each of them, and no private addresses at all.
If your device is in Bridge Mode it will give the user a public IP at their LAN network connection, if not, many provide a private IP address at their lan connection.
Why are you going in circles? DSL Modems often have two modes, one of them is Bridge mode and it provides a PUBLIC IP to the users device connected to it - the other mode provides a Private IP to the users device.
Thought? I see them all the time, I don't write down their part numbers. Yahoo DSL is one that provides routers that do Bridge or NAT mode, so do several other DSL services I see. Most of the Cable provides don't do NAT.
Pick ANY major vendor of firewalls - WatchGuard is one I like to use a lot.
Yes, it can. If I assign X.x.x.x/24 to the WAN port, it's assigned as avaialble to all jacks - so that means I can assign the public IP's to the devices on the LAN and then setup rules to allow traffic to them - no NAT needed.
Ever DSL provider we have seen allows users to set their device for Bridge Mode giving them a public ip at their device - all of them started with a private IP at their device.
No, the firewall is designed to work in a network, NAT has nothing to do with this.
And we're talking about the IP that the user gets from the ISP's device
- they either get a Private IP or a Public IP, for their connection.
I'm not sure I can keep going around in circles with you on this.
I wasn't disagreeing with you there. Or questioning you there. Maybe I should've prefaced my sentence saying so!
you might think you're going round in circles with me, but actually you've answered most of it.
One of your answers, I don't disagree with but you misunderstood me. The following paragraph from "When" to "NAT)" is what I meant. So you may want to reconsider the answer to that one. When I asked if your firewall appliance can be used without any NAT anywhere i.e. without even NAT routers connected. I meant in a situation where only one public ip is provided by the ISP. (your answer addressed only when the isp provides many ips e.g. a block of ips, and I agree it could be used with that without NAT)
By the way. The following/last paragraph starting from "what" and ending in "sense". There's no disagreement with anything you said over there!! so no need to 'worry' about the following paragraph or anything after it!
What you said about the bridge mode and the comp getting the public ip, was news to me(i.e. I don't disagree, I learnt something). I tried it some years ago but couldn't get a net connection. I thought it was disabling the modem. But I guess not. Now I now know why..
formatting link
"This modem can also be configured in bridge mode. In bridge mode, the modem does not perform authentication. You need to configure your operating system to connect for you (through Access Manager, RASPPPoE, or Windows XP), or use a broadband router to perform the authentication duties. " So, it's a bit like [setting up] a usb dsl modem in that sense
I think the big waste of time is that soon all "straight talk's" posts will dissapear, all the time was wasted, and the arguments or misunderstandings will start all over again. (because the conversation he had with leythos will become ruined. The thread will be ruined. Not because of leythos, but because of him).
I don't see reason why you need to disagree. It reminds me of 2 people having a discussion about what should be done to deal with the drug problem. Do you bomb the drug fields or do you work with people and get them off their addiction. You do both. I told that to those 2 guys and one of them agreed with me, and the other didin't disagree. I don't want to keep to that analogy.
Looking at the real thing. I see, one doesn't need NAT for security, if he doesn't get the software firewall on his computer compromised. A tall order.
You speak of workarounds to the issue of the firewall getting taken down when in admin mode. workarounds that you don't mention (wise given that leythos knows them anyway and the detail is a side point to the disagreement, but a bit selfish not to mention them, given that it's a public newsgroup and others can benefit)
I know of 2 workarounds
1)Work in Admin mode (many techies do), and through 'run as', browse in a guest account.
2)Work in Guest mode, and if you want to make an administrative change, log in as administrator. Or, if it's something like double clicking the clock and seeing the time, then go into admin and give yourself the right. Or if you want to install a program whose installation needs admin access to install it, then let the installation program 'run as' admin.
but there are issues with the workarounds.
For '1' If working in admin mode and doing runas to browse in a guest account. How do you quickly get the browser open? I'd like something as quick as start..run..iexplore, and and an icon too. Is that possible? If so then I may be converted.
For '2' If working in Guest mode and you want to make an administrative change, you have to log off!!!! What a hassle!! I don't want to close my programs. and even if somehow there's a way to get windows to keep them open, i'd have to save everything and wait around for a while. I seriously doubt you have a way around that, you're not Q from star trek tng. Or do you have a way?
note- NAT also has its inconveniences, doing port forwarding, but that inconvenience is not as often. And anyhow, it's necessary if one needs many ips.. I don't see you arguing not to use NAT...
Work as a normal user (not guest). Adjust the rights for programs that need to be run by users but won't run as a normal user [1]. Replace programs where this isn't possible.
For administrative tasks use runas or log in as an administrative user. The latter is the preferred method, because the former may allow for shatter attacks against the programs started with admin privileges.
And I still say that, even above, you just seem to be missing the technology and how it works.
No, the NAT appliance is not anywhere near as easy to compromise as the Windows firewall is, and it's not subject to applications making holes (exceptions) in it.
LOL - and DDOS is such a minor part of what the ignorant masses impact us with. But you appear to mave missed the point again, even if my NAT device is being DDOS's, I can still work behind my NAT device, still print to my network printer, still get work done, I just have an issue with internet traffic, but it never impacts my local network.
LOL, really, me twisting? You've got to be kidding, you're twisting like Chilly does.
That's true. But when it comes to the chance of "the ignorant masses" getting compromised, it doesn't make much of a difference.
Just one example. Being spammed by bot nets from ignorant masses behind NAT devices is another. Having your domain abused by bot nets spreading spam or malware from ignorant masses behind NAT devices is yet another.
It seems like you're the one having a problem focusing on a topic.
My reply to ansgar only went to microsoft.public.windowsxp.security_admin not to comp.security.firewalls. I think 'cos ansgar added a 'follow-up' field, and it seems what that did was cause my reply to only go there, and not to the newsgroup where I read the message and clicked reply(comp.security.firewalls). I was only looking in csf so didn't see them. I hadn't encountered that before, it's true of not just google's web interface, but forte or any news reader client. Was news to me.
this explains my duplicate posts in that windows xp security newsgroup.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.