From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?B?S3J6eXN6dG9mIE9sxJlkemtp?= Subject: Re: [RFC PATCH 00/18] netfilter: IPv6 NAT Date: Tue, 29 Nov 2011 22:38:47 +0100 Message-ID: <4ED550E7.1090609@ans.pl> References: <4ED4A399.6090709@sophos.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: Ulrich Weber , Amos Jeffries , "sclark46@earthlink.net" , "kaber@trash.net" , "netfilter-devel@vger.kernel.org" , "netdev@vger.kernel.org" To: Jan Engelhardt Return-path: Received: from bizon.gios.gov.pl ([195.187.34.71]:36072 "EHLO bizon.gios.gov.pl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751020Ab1K2Vzk (ORCPT ); Tue, 29 Nov 2011 16:55:40 -0500 In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org List-ID: On 2011-11-29 13:23, Jan Engelhardt wrote: > > On Tuesday 2011-11-29 10:19, Ulrich Weber wrote: >> On 28.11.2011 23:03, Amos Jeffries wrote: >>> I'm going to dare to call FUD on those statements... >>> * Load Balancing - what is preventing your routing rules or pack= et >>> marking using the same criteria as the NAT changer? nothing. Load >>> balancing works perfectly fine without NAT. > > Source address selection, having to occur on the source, would > require that the source has to know all the parameters that a {what > would have been your NAT GW} would need to know, which means you have > to (a) collect and/or (b) distribute this information. Given two > uplinks that only allow a certain source network address (different > for each uplink), combined with the desire to balance on utilization, > (a) a client is not in the position to easily obtain this data unless > it is the router for all participants itself, (b) the clients needs > to cooperate, and one cannot always trust client devices, or hope for > their technical cooperation (firewalled themselves off). > > Yes, NAT is evil, but if you actually think about it, policies are > best applied where [the policy] originates from. After all, we also > don't do LSRR, instead, routers do the routing, because they just > know much better. > >> I fully agree. NAT can not replace your firewall rules. >> >> However with NAT you could get some kind of anonymity. > > Same network prefix, some cookies, or a login form. Blam, identified, > or at least (Almost-)Uniquely Identified Visitor tagging. But without NAT you have pretty big chance to have the same IPv6=20 *suffix* everywhere, based on you MAC address. In your Home, your Work,= =20 in a Cafe or in a hotel during your vacations in Portugal. So yes, NAT=20 is not a perfect solution but it really helps you privacy. Best regards, Krzysztof Ol=C4=99dzki -- To unsubscribe from this list: send the line "unsubscribe netfilter-dev= el" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html