At 01:42 PM 20/09/01 +1200, Gordon Smith wrote:
You have confused port filtering with network address translation.
Umm, where did I mention port filtering ? My message was a follow up to the thread where you suggested the possibility of NAT'ing DSL users at the ISP rather than giving them a real IP.
I am aware of some MS products not functioning correctly. If they conformed to accepted standards, they probably would.
I'm the first to agree that many of Microsoft's products use dysfunctional protocols, things like Age of Empires (or any other Direct Play game) need ports 1024-65535 pinholed to work. (Yeah, now THATS secure! ;) Many other games even peer to peer like Starcraft manage to work fully with just a single pinhole, and server based games like Quake1/2/3 usually don't need anything special, so why Direct Play networking is so arcane is beyond me.
H323 doesn't work? See Cisco's articles on NAT support of IP-Phone.
Ah, but now we're talking about a "protocol helper" here to support it. It's not inherantly supported by all NAT devices. FTP is about the only protocol you can (almost) guarentee will be supported by all NAT implementations. Helper support for other protocols (which need it) varies from device to device, and has to be considered on a case by case basis.
What does break are things like IPSec, because the packet is altered (see RFC3027)
Which is a good reason not to force NAT on somebody. (Which already happens to anyone with an external ADSL modem, albeit at the customer end of the link, and the NAT device is somewhat under their control) My argument is not that NAT is evil, I actually thinks its very useful, as long as it is under the control of the end user, and they are aware of, and accept its limitations. But doing the NAT at the ISP is a whole different proposition. (Would you like to share the same ip address with your neighbour ?) Regards, Simon --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog