Date: Mon, 31 May 1999 20:28:47 -0400 From: "Steven Vetzal" <svetzal@icom.ca> To: "'Jim Cassata'" <jim@web-ex.com>, <net@FreeBSD.ORG> Subject: RE: natd question Message-ID: <000501beabc5$b6f0e460$7ffea8c0@blazer.pr1.on.wave.home.com> In-Reply-To: <Pine.BSF.4.10.9905311800010.22215-100000@homer.web-ex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I tend to disagree with Jim's comment on "unroutable IPs" being no risk. They're no risk if you're positive the _other_ side of your link is clean, but there are far too many mismanaged routers out there that don't have unroutable ranges blocked, and if you're really paranoid, how do you know the router you're talking to hasn't been compromised and is handing you packets disguised as your own? Everything not in your control is suspect, and even all things you _think_ are in your control should be considered suspect. I agree with Luigi's (forgive me) paranoid approach... Steve -----Original Message----- From: owner-freebsd-net@FreeBSD.ORG [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Jim Cassata Sent: May 31, 1999 2:02 PM To: net@FreeBSD.ORG Subject: Re: natd question > yes, i already did that, and in fact at least natd only sees useful > pkts now. However there is still a couple of useless passes through the > firewall code (once a pkt is diverted, you know what to do with it, no > need to do further analysis), plus having forwarding enabled makes > me feel a bit uncomfortable... > IP forwarding is no risk when you are running "unroutable IPs" on the private side. Jim Cassata 516.421.6000 jim@web-ex.com Web Express 20 Broadhollow Road Suite 3011 Melville, NY 11747 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000501beabc5$b6f0e460$7ffea8c0>