It's a barely contained security nightmare: My client currently has a static IP. The vendor sends printer traffic to the IP address. All traffic on the printer's tcp port from the vendor's three IP ranges passes on to the NAT'ed printer. Everything else is binned. (I think - I hope - their printer won't accept unacknowledged/spoofed packets. Or at least not enough to do more than hurl a tray of paper.)

At the firewall level, there's no inspection, no proxies - no nothin' but sourced port traffic.

This appalls me enough; I really don't want to open them up to more open inbound traffic. They're locked into the vendor. And I haven't been able to effectively shame their vendor yet. I just want to keep source/port filters in place.

-jk