From owner-freebsd-security Wed Jul 17 5:26:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52FB737B400 for ; Wed, 17 Jul 2002 05:26:08 -0700 (PDT) Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 88B7D43E31 for ; Wed, 17 Jul 2002 05:26:07 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 41420 invoked by uid 1000); 17 Jul 2002 12:26:06 -0000 Date: Wed, 17 Jul 2002 14:26:06 +0200 From: Bart Matthaei To: Sabri Berisha Cc: "Carroll, D. (Danny)" , security@freebsd.org Subject: Re: ipfw and it's glory... Message-ID: <20020717122606.GD40276@heresy.dreamflow.nl> References: <20020717120231.GB40276@heresy.dreamflow.nl> <20020717141338.M82632-100000@doos.cluecentral.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020717141338.M82632-100000@doos.cluecentral.net> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 17, 2002 at 02:16:29PM +0200, Sabri Berisha wrote: > > Natd on a firewall ? Firewalling a public network ? I don't think so > > :) > > Nothing wrong with that. In fact, you might even want to consider using > natd only if you don't use the box for another purpose. I wouldn't advise running natd on a firewall serving a large network, since it runs in userland. IPnat is an option, though. Anyway, back to the original issue: I'd rather not use PunchFW on a large network. They don't call > 1024 un-privileged for nothing. No need firewalling all of them. Just a few daemons that use them, like Mysql and X. Cheers, Bart -- Bart Matthaei bart@dreamflow.nl If at first you don't succeed, redefine success. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message