Re: Hiding NATs with PF

From: Max Bolingbroke (batterseapower_at_hotmail.com)
Date: 09/28/05 

Date: 28 Sep 2005 11:02:55 -0700

> > How do they 'enforce' this policy exactly ? I've worked in environments
> > with ridiculous policies because some clueless idiot copied something out
> > of a textbook.
>
> Not to mention the time it would take humans to go out and try and
> detect this.
>
> To the OP: Are there policies on using vmware or similar
> multiple-os-per-machine constructs?

None. The only restriction is against routers. The claim is that a NAT
router causes upstream routing headaches. Is this true? I would have
thought that since it acts just like a single host all the performance
penalty is occured by the NAT device itself, as ti does the source port
translation etc.

> Ah, but if the OP is on a campus or something, _his_ network may
> very well be counted part of the network the policy is set for.

Exactly.

> I know of such networks where there is a strict ``no nat'' policy
> because they don't want to deal with abuse hidden by that and the
> resulting expected gefingerpointing. I can't blame them for their
> motives.

Interesting, they don't cite that as a reason. What abuse could be
hidden by a NAT that could not be hidden by a single host with firewall
enabled? Could you please tell me if the one they give (above) is
actually valid? If so I will of course comply with their request.

Thanks for your reply,

Max