What's the difference if you have a Firewall with NAT that permit (and
filter) inbound connections, or simply a firewall that filter the inbound
connections to your valid-IP-addressed stations?
Well... The processing delay, I suppose!
If you don't permit inbound conections, you don't NEED to use
invalid addresses (take care about FTP passive transfers...). It's
good only by turn the management more convenient.
Now, if you permit it but have a good firewall (stateful, etc.),
I belive that translation (or other methods, like SOCKS) is
just a processing-time waste, with no advantage. To reduce
the delay involved with that methods you'll need to use
a more powerfull system (CPU, NIC, etc), and loose more money
with no increase of security...
> From: Alan Goldberg <agoldber @
> To: Firewalls @
> Subject: IP Addressing strategy
> Date: Quarta-feira, 20 de Agosto de 1997 13:32
> We have a class B registered address.
> If we deploy our firewalls do we a) use invalid addresses internally
> for all of our subnets, or b) it doesn't matter.
> There has been debate internally on this issue. I would expect
> that it is easier to manage to continue to use our allocated subnet
> numbers and let the firewall restrict the traffic.
> The other side contends that invalid numbers prevent intrusion.
> Any opinions? facts?
> Alan Goldberg
> HJ Heinz Company of Canada Ltd / Intuit Bus Serv & Tech
> agoldber @