From owner-freebsd-ipfw@FreeBSD.ORG  Wed Jul  2 12:26:48 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id C476B37B401; Wed,  2 Jul 2003 12:26:48 -0700 (PDT)
Received: from out001.verizon.net (out001pub.verizon.net [206.46.170.140])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 91EC843FBD; Wed,  2 Jul 2003 12:26:45 -0700 (PDT)
	(envelope-from cswiger@mac.com)
Received: from mac.com ([141.149.47.46]) by out001.verizon.net
          (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP
          id <20030702192644.JHUP12592.out001.verizon.net@mac.com>;
          Wed, 2 Jul 2003 14:26:44 -0500
Message-ID: <3F0331EE.6020707@mac.com>
Date: Wed, 02 Jul 2003 15:26:38 -0400
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.4) Gecko/20030624
X-Accept-Language: en-us, en
MIME-Version: 1.0
References: <3F0316DE.3040301@tenebras.com>
	<20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com>
In-Reply-To: <3F0327FE.3030609@tenebras.com>
X-Enigmail-Version: 0.76.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Authentication-Info: Submitted using SMTP AUTH at out001.verizon.net from
	[141.149.47.46] at Wed, 2 Jul 2003 14:26:44 -0500
cc: freebsd-ipfw@freebsd.org
cc: freebsd-net@freebsd.org
Subject: Re: Performance improvement for NAT in IPFIREWALL
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jul 2003 19:26:49 -0000

Michael Sierchio wrote:
> Barney Wolff wrote:
>> NAT is not a security feature,
> 
> Many would disagree with that assertion.

Many people are wrong, then.  NAT is not a security feature.

Check the list archives of <firewall-wizards@honor.icsalabs.com>...

[ ... ]
>> If you believe you need to NAT at even 1Gb, I'd look
>> very hard at the requirements.
> 
> Sadly, requirements are often exogenous.

Nice word.  :-)

[ NAT sucks.  In a very useful way, of course.  Exogenous requirements may 
impose unreasonable constraints upon implementing the technically preferrable 
solution, just as "inept excess verbiage may disqualify qualifiers".  And "But 
soft, what light through yonder window breaks?" and other tasty bits from the 
"Applesoft Reference Manual".... ]

-- 
-Chuck