Ubuntu 6.06 criticisms from a programmer 2734

Steve at fivetrees

Some people consider it an "evil hack", partly because it makes it almost impossible to get incoming connections, and thus buggers up certain types of legitimate traffic (such as those for agreeing about MTU sizes). It can also be a bottleneck when you have a lot of connections (it makes a good bittorrent setup harder). And it is a hack, having been originally invented to allow more computers on the net without using global IP addresses. However, most people who consider it "evil" are the people who are capable of controlling and securing their connections, and who think that *their* nice clean internet has been ruined by all these pesky kids.

The most obvious characteristic of a NAT router is that the computers on one side are invisible to everything on the other side. That is an enormous benefit, and far outweighs the disadvantages for the great majority of users. Any traffic from your PC can go out, nothing unexpected can come in. Since a "firewall" is simply a blocking system for limiting unwanted traffic, a NAT router in itself provides an excellent firewall. Combine that with the fact that setup of a NAT router is almost a no-brainer (at least, for ISPs that sensibly use "Ethernet" connections instead of some silly PPoE or PPTP bandwidth waster), and it is the single most important feature of a firewall.

Clearly, a firewall can be much more than this. For more advanced use, you might want to poke holes to run a webserver on the inside, or to allow particular types of access from particular IP addresses, or to limit outgoing traffic. You can also filter on higher levels, such as filtering http traffic. And a software firewall on a PC (or "application policy tool", as Paul aptly named it) can give you tight control over specific applications. But these are not of interest to the average user, and their complexity is overwhelming for most people. A large proportion of zombie PC's have software firewalls installed, but disabled - simply because the user could not understand how to allow their browser or computer game internet access without turning it off.

Absolutely. Let those who need advanced setups use OpenBSD or Linux with their packet filters for their internet-facing servers, and put a NAT router between everything else and the 'net.