Someone who likes to spend their time shooting people on the same maps over and over would love UT2004.
Sounds like you didn't try all the different modes, particularly ball mode and Onslaught. Lots of strategy and teamwork required. It is more than your regular first person shooter. And UT04 does of course have a plain old deathmatch mode if you're into that.
UT2004 is a complete waste of time. If you liked Unreal Tournament (the original) enough to play it again with slightly updated graphics, then go ahead and waste your money (or just download the demo that has just as much gameplay diversity as the entire game). It runs well under Linux.
But that game has no depth and I feel sorry for my friend who paid cash money for that 5 CD sleeve of crushed hopes.
Well I have no idea what you're talking about. I spent many hours playing UT2004 and it is quite fun. Gameplay is very good. The onslaught mode involves a nice amount of strategy and is fun. Not to mention vehicles. UT2004 is everything the original was and more.
The AlienSwarm mod is also very good and is a totally different type of game.
What puts porn sites in a legal grey area? If everyone involved is a consenting adult, they shouldn't have anything to fear from using the legal system for defense.
The trailers mentioned in the other reply to you also have the advantage that they don't tip over if your bike does. They're safer than the back seats.
In reality, what you really own is the DVD, the box and all the physical stuff on it; now, the media on it is us just licensed.
Where is the license? At what point do I agree to it? How can I read it pre-sale and decide wether or not I want to accept the license? No license is ever advertised or presented to me for acceptance.
With movies, there is no license. They're just selling copies of copyrighted works. No, they're not selling the copyrights, just that particular copy. The purchaser still has all the usual copyright restrictions imposed upon them by law.
Software comes with an actual license - a few pages of legalese where they try to impose a bunch of restrictions on you. But those licenses are garbage too since they were presented after the purchase. You don't need a license to use things you already own.
wow, you know where to get a free, legal DVD decrypter? where? does it run on linux?
There are none. Neither free as in costs nothing, nor free as in Free Software. There never can be any of those as long as the DMCA is on the books.
But what does this have to do with anyone paying a license fee for a DVD-ROM? We don't pay license fees for DVD-ROMs. There are "license" fees to make a player without being sued by the DVD-CCA. We don't pay that either, at least not directly.
If you live on my street and you own a gun, my life expectancy drops.
Would his making your life expectancy drop not imply that he is a criminal, not a law-abiding citizen? Why would being in proximity to a law abiding citizen make your life expectancy drop?
In most broadband connections, people in the same physical area appear to be on one big ethernet with you.
that's a cable thing though isn't it? rather than a dsl thing?
Both. Cable and DSL connections, from the standpoint of your equipment, looks and works like one giant regular ethernet covering the whole area. My router plugs into my cable modem via regular ethernet. The cable modem kind of functions like an ethernet bridge. And on the other side it appears like everything gets unbridged and plugs into one ethernet switch, and one of those devices is the cable/dsl company's router connecting us all to the internet.
Now that isn't how it really works at the lower level - there's more equipment involved and there is really a physical ethernet switch. But from the standpoint of me and the potential attackers, it just looks and works like we are all plugged into one ethernet switch.
Yes, it is true that practically noone uses NAT without a firewall. But the point is that you could take away the NAT and leave the same firewall rules and your network would be no less secure. So all this constant talk about how IPv6 will make everything less secure because noone will have NAT and everyone will have real, routable addresses is complete garbage.
Yes, I've read that section. The assumption is that the addresses used on the internal network are not routable and thus NAT is required for connections to work. 'uni-directional' means NAT will only cooperate to provide connections in one way and won't provide any kind translation that makes inbound connections possible.
That is all true. But my argument is that the assumption is wrong. Your internal addresses aren't really guaranteed to be unroutable to attackers. Someone who is on the same outside network as you (ie, someone in the same physical area with the same broadband ISP) can easily make your network address routable. Someone in your ISP, or exploiting a security problem at your ISP can easily make your addresses routable to many people.
Once your unroutable addresses become routable to the attacker by these and other methods, NAT is completely taken out of the picture because it isn't needed to establish a connection. NAT might refuse to translate a packet for an inbound connection - but once your addresses are routable we don't need NAT's help anymore. And just because a packet is not being NATed by the router doesn't mean it will be dropped.
You can test this on a linux router for instance. Flush all your netfilter tables and then add only a single entry to NAT outbound stuff. You'll find that while outbound connections will be NATed, if you make the internal network routable by the outside, inbound connections will work perfectly. See this thread for more info. I'm told you can do the same thing with a Cisco router. Tell it to do NAT and not much else and you'll get similar results.
A uni-directional NAT, by definition, drops inbound initiations and is referred to as the "traditional" style.
Actually it doesn't drop anything. The word 'drop' does not appear in the RFCs in any relevant way*. What a makes a uni-directional NAT uni-directional is that it will only NAT outbound connections. If the internal network is unroutable, then yes, you depend upon NAT to make a connection. But this is all assuming your internal addresses remain unroutable, which is not something you can guarantee.
Since routing changes on the outside can make your NAT totally unneccessary for connections, you must depend on a firewall to actually drop unwanted inbound connections.
In fact, see RFC 2663 section 9.0:
NAT routers may be used in conjunction with firewalls to filter unwanted traffic.
this is where this fallls down on the internet. if my dsl router acted as the router above does then I am still by and large safe. the attacker can make a good guess at what my internal ip addresses are (or brute force) but how does he route those packets towards my router, the half dozen other routers between my attacker and I will swallow those rogue packets.
In most broadband connections, people in the same physical area appear to be on one big ethernet with you. If you turn off your firewall, those people can easily route packets past your router since there are no other routers between you and them.
And in the larger picture, you're putting the security of your network entirely in the hands of your ISP. Is that really a good idea?:)
We use it for security more than getting a few more ip addresses.
No you don't. That would be impossible, since nothing in the NAT standards specicfy that NAT should drop any kind of packets. Can you even name a NAT implementation which blocks packets? Hints: Cisco's doesn't. Linux's doesn't. Most appliance broadband routers are incapable of being configured to do NAT without doing packet filtering.
We use NAT as a 1 to 1 mapping, allowing the internal hosts to be shielded,
They aren't sheilded from anything by NAT. NAT is incapable of shielding anything. A firewall is pretty good at shielding your internal hosts, but a firewall does not need NAT at all to perform that function.
I have a Redhat 7.3 machine at 192.168.0.22 and it has no firewall on it and has internet connectivity. The root password is mAyB3N0tn0w. Let me know what you find. Even with my real world ip address, you still have no way of getting to it. You can not get to it directly => security IS enhanced. NAT is one part of a "firewall", they are not seperate things.
Go ahead, post your real world IP address.
Do you have broadband? Anyone who is on the same logical ethernet as you (people in the same physical area, most likely) can add a route to 192.168.0/24 via your public IP address and the traffic will flow right in to your private network.
And how much do you trust your ISP? Your ISP, or someone exploiting a security flaw in your ISP's stuff, can make your internal network fully routable to the entire ISP and all of its customers (possibly even beyond).
And does your next hop router do any loose source routing? You better hope not.
And without a firewall I can trivially spoof the source address on traffic coming into your network. That may or may not be a problem for you.
That's a bug, not a feature. If a NAT receives an IP packet from outside that's addressed to it's internal, unroutable network it should drop it on the floor (if it's not already filtered by your ISP). Perhaps not all NATs work that way, but it's not hard to imagine one that works correctly. If such a device no longer fits your definition of NAT, you should think about expanding your definition.
It isn't MY definition of NAT that such a device wouldn't fit. It wouldn't fit ANY definition of NAT. See RFCs 1631 and 2663 - the standards that define NAT. Nothing in them specifies dropping packets.
Can you name any implementation of NAT which drops packets like this? I can tell you Cisco's doesn't and Linux's doesn't. I don't know of any that does. And they shouldn't either. Deciding what packets to drop and what packets to pass isn't NAT's job.
If it's been said that many times, would it be that hard to cite a reference?
Sure, every slashdot story about IPv6. Every time such a story comes up, a bunch of people talk about how NAT solves all their problems and provides them with nice security, and then other people come along and inform them that NAT != security.
Maybe if you set up port forwarding, or you're using a broken NAT that uses a static table rather than full IP masquerade.
Nope. A proberly functioning NAT only translates packets that it was specificly instructed to (new outbound in this case). Packets that you didn't tell it to translate get passed right along untranslated. It doesn't block anything.
Nothing behind the NAT has a globally routable IP address,
It may not be "globally" routable - but that doesn't mean it isn't routable by people you don't want in your network. For instance, If I disable firewall rules on my router leaving only NAT, I can go to my neighbors (who has the same broadband ISP and is on the same logical ethernet), add a route to my private network via my router's public IP address and the packets will come right in. If someone has access to your ISP's routers, they can make traffic to your private network routable to the entire ISP and all the ISP's customers. And then there's loose source routing. And spoofed internal source addresses... all kinds of things you may be vulnerable if you're using NAT without a firewall. And yes, this is with masquerade and no port forwardings.
so there's no way to send anything to it unless the NAT is configured to forward packets sent on a particular port, which it shouldn't do unless port forwarding is configured on that port or an internal machine has transmitted a packet to the outside world and the NAT remembered it's source port and internal IP so it can rewrite incoming reply packets.
If a forward isn't set up for a certain type of traffic, all that means is that NAT won't translate that packet. It doesn't mean it gets dropped. It will just get passed along untranslated unless firewall rules block it.
If you are doing MASQUERADE, you are doing SNAT. If you are doing SNAT, it makes it almost a firewall anyway because you would be hiding non-routable ip addys which must be SNAT-ed to traverse the net.
That depends on what you define 'the net' as. If I go and type those commands on my linux router at this very moment, I can head over to the house down the road or anyone else on this same logical ethernet with this broadband ISP, plug my laptop into their modem, type 'route add -net 10.0.0.0/24 gw ', and I will be able to fully connect to all my machines on the inside network with no problem. If my ISP gets hacked (wouldn't be surprising) or someone with the right access at the ISP wants to screw me, they can set up similar routing on their routers and my network will be fully accessible from anywhere in that ISP and from any of my ISP's customers and maybe beyond.
External attackers can't route to any machine on your lan, except your gateway/firewall machine.
Yes they can. They can route the packets into your router, and given those commands, your router will happily pass their packets along to the internal machine. It has no rules telling it to block anything. I just tried this exact thing on my network here: I have a vmware virtual machine on my laptop connected to my laptop via a virtual ethernet numbered 192.168.1/24. My laptop has a physical ethernet connected to my router, numbered 10.0.0.0/24. I set my laptop up to NAT the vmware machine via the commands I posted. That worked as expected. Then I logged into my main router (10.0.0.1), typed 'route add -net 192.168.1.0/24 gw ', and voila, I was able to ping 192.168.1.2, the vmware virtual machine just fine. Wide open.
Now just shift that process up to my main router instead of my laptop, and you see the problem in assuming NAT also gives you firewall capabilities.
It's a firewall. When you issue those commands, you might notice the conntrack module being loaded. It maintains a table of the active connections. No packets ever go to the interior machines except when they correspond to one of those connections, initiated only on the inside. So it's a specialized firewall, but a firewall. And a good one.
No no no. It isn't a firewall at all. That table of active connections only applies to packets in response to a connection that is already NATed. If a new connection comes in for an internal machine, that inbound connection is not getting NATed. And that connection will go through just fine. Trust me, I just tried this on my own network. I'm going to explain it all in my next reply to the other guy who replied to me.
Even without the firewall, NAT is more secure than no having NAT. Secure enough for most home users whose real concern are the worms scanning the internet and not clever hackers manipulating routing tables. Since common devices do provide the simple filtering necessary to protect against this kind of attack, this is all pretty moot
Well, most home users I know would be concerned about mildly clever attackers too. But you're right, that's all moot because practically all common router appliances provide some firewall - more than just straight NAT.
Obviously you haven't done it with networks of the complexity I have. It isn't just about changing providers. It could be as simple as adding a new remote office. What do you do when you've already allocated your/24 to your LAN/WAN? How about adding a DMZ to your firewall? All this requires reprovisioning, resubnetting, and re-IPing if you have a fixed public set.
Just request another, additional block from your ISP. You don't need to renumber everything. Still not what I would call too difficult to outweight the advantages of routable addresses. Maybe its a matter of opinion.
It would be nice if you could just arbitrarily get new public IPv4 subnets or start with a large enough block as in IPv6, but that is not the way things are.
And that right there is the whole point of this thread. If we had IPv6, we wouldn't need NAT (at least not for its most common use) and our networks would be a lot more powerful. But every time a discussion about IPv6 comes along on slashdot, people pop up saying "IPv6 is unneccessary. NAT solves all those problems, and gives us security too. And who needs a/64 prefix when I can just pick a large RFC1918 block and use that just as well?" and none of that is true. Maybe if some of this FUD about NAT providing advantages that it doesn't and the fear of giving one's machines real, routable IP addresses would stop, demand for IPv6 would increase.
I try to avoid port mapping and opt for IP mapping. If there is a server behind NAT that I will need to access, I give it its own static translation.
As in one-to-one NAT? So you're essentially giving this machine its own routable IP Address, only with the complexity of NAT thrown in?
Umm, I would be using a firewall, NAT or no NAT. I wouldn't put a business on the Internet without one. [...] As to why I wouldn't assign public addresses directly to the machines? Because it isn't worth the loss of flexibility.
Exactly. So NAT isn't security (except for these home users that you believe aren't that interested in security), you're just doing NAT to avoid renumbering a large, complicated network if you change upstream providers and to have an arbitrarily large prefix. IPv6 addresses both of these concerns - you'll get a/64 from whatever provider you choose, which should be large enough for your network. And if you have to renumber you only need to change the internet prefix, the first 64 bits. And while I admit that is still harder than switching providers with NAT, it is easier than renumbering various sized patchwork networks (created by the situation I mentioned in my second paragraph). But again, even taking into account the renumbering ease that NAT gives you, I still think routable addresses and the abudnance of them that IPv6 gives is worth it.
Well, I really dont' know what this "DNS hostnames instead of hard coded IP addresses" thing is, but OK. If you don't mind dealing with it, go for it.
DNS hostnames instead of hardcoded IP addresses: instead of configuring a machine to make its time server is 10.5.23.40, you make it 'time.company.com'. Instead of telling a user to pull up the com
I was under the impression that most common NAT/PAT implementations (such as a broadband router) besides Cisco IOS did block inbound packets that weren't associated with outbound connections. But I should really test it myself.
Linux's does not block packets if you only tell it to do NAT, I just tested it myself. And most of those broadband router boxes are doing much more than only NAT. In fact in my experience, you can't make them only do NAT and not any kind of filtering.
Slashdot Mirror
NAT doesn't stop anything. A firewall does.
Sounds like you didn't try all the different modes, particularly ball mode and Onslaught. Lots of strategy and teamwork required. It is more than your regular first person shooter. And UT04 does of course have a plain old deathmatch mode if you're into that.
Well I have no idea what you're talking about. I spent many hours playing UT2004 and it is quite fun. Gameplay is very good. The onslaught mode involves a nice amount of strategy and is fun. Not to mention vehicles. UT2004 is everything the original was and more.
The AlienSwarm mod is also very good and is a totally different type of game.
What puts porn sites in a legal grey area? If everyone involved is a consenting adult, they shouldn't have anything to fear from using the legal system for defense.
The trailers mentioned in the other reply to you also have the advantage that they don't tip over if your bike does. They're safer than the back seats.
Where is the license? At what point do I agree to it? How can I read it pre-sale and decide wether or not I want to accept the license? No license is ever advertised or presented to me for acceptance.
With movies, there is no license. They're just selling copies of copyrighted works. No, they're not selling the copyrights, just that particular copy. The purchaser still has all the usual copyright restrictions imposed upon them by law.
Software comes with an actual license - a few pages of legalese where they try to impose a bunch of restrictions on you. But those licenses are garbage too since they were presented after the purchase. You don't need a license to use things you already own.
There are none. Neither free as in costs nothing, nor free as in Free Software. There never can be any of those as long as the DMCA is on the books.
But what does this have to do with anyone paying a license fee for a DVD-ROM? We don't pay license fees for DVD-ROMs. There are "license" fees to make a player without being sued by the DVD-CCA. We don't pay that either, at least not directly.
Those aren't "our" license fees.
Talk about flamebait.
What licensing fees? We didn't license anything. We bought copies of copyrighted works. Those copies are our property.
Would his making your life expectancy drop not imply that he is a criminal, not a law-abiding citizen? Why would being in proximity to a law abiding citizen make your life expectancy drop?
Both. Cable and DSL connections, from the standpoint of your equipment, looks and works like one giant regular ethernet covering the whole area. My router plugs into my cable modem via regular ethernet. The cable modem kind of functions like an ethernet bridge. And on the other side it appears like everything gets unbridged and plugs into one ethernet switch, and one of those devices is the cable/dsl company's router connecting us all to the internet.
Now that isn't how it really works at the lower level - there's more equipment involved and there is really a physical ethernet switch. But from the standpoint of me and the potential attackers, it just looks and works like we are all plugged into one ethernet switch.
Yes, it is true that practically noone uses NAT without a firewall. But the point is that you could take away the NAT and leave the same firewall rules and your network would be no less secure. So all this constant talk about how IPv6 will make everything less secure because noone will have NAT and everyone will have real, routable addresses is complete garbage.
Yes, I've read that section. The assumption is that the addresses used on the internal network are not routable and thus NAT is required for connections to work. 'uni-directional' means NAT will only cooperate to provide connections in one way and won't provide any kind translation that makes inbound connections possible.
That is all true. But my argument is that the assumption is wrong. Your internal addresses aren't really guaranteed to be unroutable to attackers. Someone who is on the same outside network as you (ie, someone in the same physical area with the same broadband ISP) can easily make your network address routable. Someone in your ISP, or exploiting a security problem at your ISP can easily make your addresses routable to many people.
Once your unroutable addresses become routable to the attacker by these and other methods, NAT is completely taken out of the picture because it isn't needed to establish a connection. NAT might refuse to translate a packet for an inbound connection - but once your addresses are routable we don't need NAT's help anymore. And just because a packet is not being NATed by the router doesn't mean it will be dropped.
You can test this on a linux router for instance. Flush all your netfilter tables and then add only a single entry to NAT outbound stuff. You'll find that while outbound connections will be NATed, if you make the internal network routable by the outside, inbound connections will work perfectly. See this thread for more info. I'm told you can do the same thing with a Cisco router. Tell it to do NAT and not much else and you'll get similar results.
Actually it doesn't drop anything. The word 'drop' does not appear in the RFCs in any relevant way*. What a makes a uni-directional NAT uni-directional is that it will only NAT outbound connections. If the internal network is unroutable, then yes, you depend upon NAT to make a connection. But this is all assuming your internal addresses remain unroutable, which is not something you can guarantee.
Since routing changes on the outside can make your NAT totally unneccessary for connections, you must depend on a firewall to actually drop unwanted inbound connections.
In fact, see RFC 2663 section 9.0:
Here's some useful educational material for whatever moron modded this flamebait:
RFC 1631
RFC 2663
In most broadband connections, people in the same physical area appear to be on one big ethernet with you. If you turn off your firewall, those people can easily route packets past your router since there are no other routers between you and them.
And in the larger picture, you're putting the security of your network entirely in the hands of your ISP. Is that really a good idea?
well you shouldn't.
No you don't. That would be impossible, since nothing in the NAT standards specicfy that NAT should drop any kind of packets. Can you even name a NAT implementation which blocks packets? Hints: Cisco's doesn't. Linux's doesn't. Most appliance broadband routers are incapable of being configured to do NAT without doing packet filtering.
They aren't sheilded from anything by NAT. NAT is incapable of shielding anything. A firewall is pretty good at shielding your internal hosts, but a firewall does not need NAT at all to perform that function.
Security through obscurity?
Go ahead, post your real world IP address.
Do you have broadband? Anyone who is on the same logical ethernet as you (people in the same physical area, most likely) can add a route to 192.168.0/24 via your public IP address and the traffic will flow right in to your private network.
And how much do you trust your ISP? Your ISP, or someone exploiting a security flaw in your ISP's stuff, can make your internal network fully routable to the entire ISP and all of its customers (possibly even beyond).
And does your next hop router do any loose source routing? You better hope not.
And without a firewall I can trivially spoof the source address on traffic coming into your network. That may or may not be a problem for you.
It isn't MY definition of NAT that such a device wouldn't fit. It wouldn't fit ANY definition of NAT. See RFCs 1631 and 2663 - the standards that define NAT. Nothing in them specifies dropping packets.
Can you name any implementation of NAT which drops packets like this? I can tell you Cisco's doesn't and Linux's doesn't. I don't know of any that does. And they shouldn't either. Deciding what packets to drop and what packets to pass isn't NAT's job.
Sure, every slashdot story about IPv6. Every time such a story comes up, a bunch of people talk about how NAT solves all their problems and provides them with nice security, and then other people come along and inform them that NAT != security.
Nope. A proberly functioning NAT only translates packets that it was specificly instructed to (new outbound in this case). Packets that you didn't tell it to translate get passed right along untranslated. It doesn't block anything.
It may not be "globally" routable - but that doesn't mean it isn't routable by people you don't want in your network. For instance, If I disable firewall rules on my router leaving only NAT, I can go to my neighbors (who has the same broadband ISP and is on the same logical ethernet), add a route to my private network via my router's public IP address and the packets will come right in. If someone has access to your ISP's routers, they can make traffic to your private network routable to the entire ISP and all the ISP's customers. And then there's loose source routing. And spoofed internal source addresses... all kinds of things you may be vulnerable if you're using NAT without a firewall. And yes, this is with masquerade and no port forwardings.
If a forward isn't set up for a certain type of traffic, all that means is that NAT won't translate that packet. It doesn't mean it gets dropped. It will just get passed along untranslated unless firewall rules block it.
That depends on what you define 'the net' as. If I go and type those commands on my linux router at this very moment, I can head over to the house down the road or anyone else on this same logical ethernet with this broadband ISP, plug my laptop into their modem, type 'route add -net 10.0.0.0/24 gw ', and I will be able to fully connect to all my machines on the inside network with no problem. If my ISP gets hacked (wouldn't be surprising) or someone with the right access at the ISP wants to screw me, they can set up similar routing on their routers and my network will be fully accessible from anywhere in that ISP and from any of my ISP's customers and maybe beyond.
Yes they can. They can route the packets into your router, and given those commands, your router will happily pass their packets along to the internal machine. It has no rules telling it to block anything. I just tried this exact thing on my network here: I have a vmware virtual machine on my laptop connected to my laptop via a virtual ethernet numbered 192.168.1/24. My laptop has a physical ethernet connected to my router, numbered 10.0.0.0/24. I set my laptop up to NAT the vmware machine via the commands I posted. That worked as expected. Then I logged into my main router (10.0.0.1), typed 'route add -net 192.168.1.0/24 gw ', and voila, I was able to ping 192.168.1.2, the vmware virtual machine just fine. Wide open.
Now just shift that process up to my main router instead of my laptop, and you see the problem in assuming NAT also gives you firewall capabilities.
No no no. It isn't a firewall at all. That table of active connections only applies to packets in response to a connection that is already NATed. If a new connection comes in for an internal machine, that inbound connection is not getting NATed. And that connection will go through just fine. Trust me, I just tried this on my own network. I'm going to explain it all in my next reply to the other guy who replied to me.
Well, most home users I know would be concerned about mildly clever attackers too. But you're right, that's all moot because practically all common router appliances provide some firewall - more than just straight NAT.
Just request another, additional block from your ISP. You don't need to renumber everything. Still not what I would call too difficult to outweight the advantages of routable addresses. Maybe its a matter of opinion.
And that right there is the whole point of this thread. If we had IPv6, we wouldn't need NAT (at least not for its most common use) and our networks would be a lot more powerful. But every time a discussion about IPv6 comes along on slashdot, people pop up saying "IPv6 is unneccessary. NAT solves all those problems, and gives us security too. And who needs a /64 prefix when I can just pick a large RFC1918 block and use that just as well?" and none of that is true. Maybe if some of this FUD about NAT providing advantages that it doesn't and the fear of giving one's machines real, routable IP addresses would stop, demand for IPv6 would increase.
As in one-to-one NAT? So you're essentially giving this machine its own routable IP Address, only with the complexity of NAT thrown in?
Exactly. So NAT isn't security (except for these home users that you believe aren't that interested in security), you're just doing NAT to avoid renumbering a large, complicated network if you change upstream providers and to have an arbitrarily large prefix. IPv6 addresses both of these concerns - you'll get a /64 from whatever provider you choose, which should be large enough for your network. And if you have to renumber you only need to change the internet prefix, the first 64 bits. And while I admit that is still harder than switching providers with NAT, it is easier than renumbering various sized patchwork networks (created by the situation I mentioned in my second paragraph). But again, even taking into account the renumbering ease that NAT gives you, I still think routable addresses and the abudnance of them that IPv6 gives is worth it.
DNS hostnames instead of hardcoded IP addresses: instead of configuring a machine to make its time server is 10.5.23.40, you make it 'time.company.com'. Instead of telling a user to pull up the com
Linux's does not block packets if you only tell it to do NAT, I just tested it myself. And most of those broadband router boxes are doing much more than only NAT. In fact in my experience, you can't make them only do NAT and not any kind of filtering.