From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 2 18:05:11 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C08D837B404; Wed, 2 Jul 2003 18:05:11 -0700 (PDT) Received: from pop015.verizon.net (pop015pub.verizon.net [206.46.170.172]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8644843FE0; Wed, 2 Jul 2003 18:05:10 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([141.149.47.46]) by pop015.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030703010509.BEDC20810.pop015.verizon.net@mac.com>; Wed, 2 Jul 2003 20:05:09 -0500 Message-ID: <3F03813E.9020407@mac.com> Date: Wed, 02 Jul 2003 21:05:02 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 References: <3F0316DE.3040301@tenebras.com> <20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com> <3F0331EE.6020707@mac.com> <3F0350C7.7010009@tenebras.com> <3F036571.8030609@mac.com> <20030702212709.M1913@odysseus.silby.com> In-Reply-To: <20030702212709.M1913@odysseus.silby.com> X-Enigmail-Version: 0.76.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at pop015.verizon.net from [141.149.47.46] at Wed, 2 Jul 2003 20:05:09 -0500 cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: Performance improvement for NAT in IPFIREWALL X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2003 01:05:12 -0000 Mike Silbersack wrote: [ ... ] > Please explain this point more. > > Say I have 1000 win 9x boxes connected to the internet with routable IPs > and no firewall. How will placing them behind a NAT box make them less > secure? "man natd" suggests that you've just enabled IP spoofing for the LAN: You should be aware of the fact that, with these firewall settings, everyone on your local network can fake his source-address using your host as gateway. If there are other hosts on your local net- work, you are strongly encouraged to create firewall rules that only allow traffic to and from trusted hosts. People using NAT tend to permit arbitrary outbound connections from clients rather than, for example, mandating that all permitted client connections go through a designated and monitored proxy. The placement of the divert rule early on tends to circumvent egress filtering. However, I would suggest that my point has less to do with whether NAT can reduce the security of a completely open network with no firewall any further (although there are ways that it could), and more to do with whether the combination of firewall+NAT is particularly safe and secure compared with firewall-without-NAT. At the very least, using NAT on the firewall increases the scope and potential of denial-of-service attacks to exhaust kernel memory or sockets (if use_sockets is set). -- -Chuck PS: But I also saw comments from Ruslan and Dean, and I'm willing to let this issue lapse rather than prolong a debate that people don't think is on-topic.