Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 02 Jul 2003 14:33:13 -0700
From:      Michael Sierchio <kudzu@tenebras.com>
To:        freebsd-ipfw@freebsd.org
Cc:        freebsd-net@freebsd.org
Subject:   Re: Performance improvement for NAT in IPFIREWALL
Message-ID:  <3F034F99.2080607@tenebras.com>
In-Reply-To: <20030702185538.GA4555@pit.databus.com>
References:  <3F0316DE.3040301@tenebras.com> <20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com> <20030702185538.GA4555@pit.databus.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Barney Wolff wrote:
> On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote:
> 
>>>NAT is not a security feature,
>>
>>Many would disagree with that assertion.
> 
> They would be wrong.  Find a real security expert and ask.

Clearly that would not be you.  Both static and dynamic (or "hide")
nat have security functions.

> Yes, but it's not necessary to keep state for connections from outside in,
> only from inside out.  If you have an enemy inside, nothing will help you.

Actually, you're quite mistaken.  There are reasons for maintaining
state for VPN and other connections that are unrelated to public
services.  And it's probably better to exhaust mbufs at the perimeter
than the interior...




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F034F99.2080607>