From owner-freebsd-ipfw@FreeBSD.ORG  Wed Jul  2 11:55:39 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E3BB737B401; Wed,  2 Jul 2003 11:55:39 -0700 (PDT)
Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id EEA8843FAF; Wed,  2 Jul 2003 11:55:38 -0700 (PDT)
	(envelope-from barney@pit.databus.com)
Received: from pit.databus.com (localhost [127.0.0.1])
	by pit.databus.com (8.12.9/8.12.9) with ESMTP id h62ItcQv004749;
	Wed, 2 Jul 2003 14:55:38 -0400 (EDT)
	(envelope-from barney@pit.databus.com)
Received: (from barney@localhost)
	by pit.databus.com (8.12.9/8.12.9/Submit) id h62ItcBP004748;
	Wed, 2 Jul 2003 14:55:38 -0400 (EDT)
Date: Wed, 2 Jul 2003 14:55:38 -0400
From: Barney Wolff <barney@databus.com>
To: Michael Sierchio <kudzu@tenebras.com>
Message-ID: <20030702185538.GA4555@pit.databus.com>
References: <3F0316DE.3040301@tenebras.com>
	<20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3F0327FE.3030609@tenebras.com>
User-Agent: Mutt/1.4.1i
X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang)
cc: freebsd-ipfw@freebsd.org
cc: freebsd-net@freebsd.org
Subject: Re: Performance improvement for NAT in IPFIREWALL
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jul 2003 18:55:40 -0000

On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote:
> >NAT is not a security feature,
> 
> Many would disagree with that assertion.

They would be wrong.  Find a real security expert and ask.

 ...

> >But moving NAT into the kernel has great impact on kernel memory usage,
> >which needs much more care than in user space.  NATs can be DoS'd,
> >and running out of kernel memory can be fatal.
> 
> Stateful packet filters can be DoS'd.

Yes, but it's not necessary to keep state for connections from outside in,
only from inside out.  If you have an enemy inside, nothing will help you.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.