From owner-freebsd-hackers Fri Nov 12 11: 6:34 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 9FCF814A19 for ; Fri, 12 Nov 1999 11:06:10 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA05271; Fri, 12 Nov 1999 12:06:10 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA18259; Fri, 12 Nov 1999 12:06:31 -0700 (MST) Message-Id: <199911121906.MAA18259@harmony.village.org> To: Ollivier Robert Subject: Re: Should jail treat ip-number? Cc: freebsd-hackers@FreeBSD.ORG In-reply-to: Your message of "Thu, 11 Nov 1999 20:52:38 +0100." <19991111205238.A52039@keltia.freenix.fr> References: <19991111205238.A52039@keltia.freenix.fr> <199911090824.KAA90295@zibbi.mikom.csir.co.za> <22398.942136151@critter.freebsd.dk> <19991110000004.A37063@keltia.freenix.fr> <19991111010837.C48604@server.nostromo.in-berlin.de> Date: Fri, 12 Nov 1999 12:06:31 -0700 From: Warner Losh Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <19991111205238.A52039@keltia.freenix.fr> Ollivier Robert writes: : NAT breaks too many things (like IPsec, incoming connections and many : protocols) to be anything else than an abomination in my eyes. It breaks any protocol that encodes an IP address and/or a port into the data stream. Without datastream snooping and translation, talk, ftp real autio and a few others would break. When I was working on TIA (a commercial SLIRP-like program) we ran into these problems all the time. As soon as we put in upgrades for a recently released protocol, a new one would come along, or an old one would break in subtle ways (eg, we did the translation when we had no business doing the translation) leading to configuration nightmares. When it worked it was cool, when it didn't... This is why you can't, for example, NAT China :-) Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message