Re:You are already are using IPv6 (Score 1)

There are many ways of screwing up a users computer for nefarious uses - honey potting them with pop-ups on dodgy websites that install mirc botnets, the user opening the email with britneynaked.jpg.bat as the attachment, distrbuting autorun.inf files on usb keys (I beleive a security assessment firm contracted by a British bank scattered 100 usb flash drives in the vicinity of the bank's head office at lunch with an autorun file to report back when bank employees plugged them into their workstations out of curiousity - a high percentage did)

The main threats that using NAT removes are the outside influences caused by a direct incoming connection - remember Windows Messenger pop-ups (winpopup?) advising the user to go to a certain website to clear spyware? Or a Windows 98 machine simultaneously dialled up to the Internet through a modem and connected to a LAN - File & Print Sharing switched on? AT least when the user is behind a NAT - any pings to port 139 are ignored unless the user specifically allows such activity which indicates a level of technical knowledge such that they can secure their machines adequetly.

I must confess only an beginner's knowledge of iptables coming as I do from a Windows background but from what I can see - this configuration would need to be replicated on each workstation - grand if you image each harddisk - but would it not be easier to set this rule at the gateway that provides NAT? What if you want to allow a certain port - for example the company relaxes restrictions on MSN Messenger usage (Gaim on Linux I suppose) - the admin must either go to each machine or re-image each workstation - quite tedious.

Not really the main thrust of my point - but how are these addresses allocated - a DHCP process by the ISP?