Linux Distro Wars

Here’s a snip from a forum question that I’m getting ready to write a little
piece on. My response is crude, but my next version of the response will be
more intelligent.

With private addresses you have an extra step that must actively be carried
out. If you don’t do the NAT’ing it then by default nothing will make it to
those hosts to the Internet.

In other words, with routable addresses, the default configuration
takes Internet traffic to your DMZ hosts, whereas with NAT’ing there’s an
extra piece that’s needed.

Think of it as two layers — knowing where to send Internet traffic, and
determining whether it’s allowed or not. Well, with routable addresses
any request to a port on a DMZ host knows where to go —
right to the host. But if you use granular NAT rules you won’t have
that. You can say, for example:

external1:80 –> internal1:80

Notice how specific that is. A connection to port 110 on external1 won’t
take the traffic anywhere inside. 🙂 With routable addresses, that traffic
goes inside by default and it’s up to filtering to stop it.

I prefer it the other way, where you have to explicitly allow specific
host:port translations. Perhaps he has a good point about the complexity not
being worth it, though — it’s up to you guys to quantify the cost vs.
benefit of doing this.

But to answer your question — yes, there is a benefit security-wise,
but it’s mostly based on countering human weakness, i.e. poor configuration.
You can attain the same security level using filtering; it’s just that that
many don’t.

You guys have anything to add as far as benefits of using NAT vs. public
IPs?