From owner-freebsd-net  Tue Feb  4 16:42:57 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C198A37B41E
	for <net@FreeBSD.org>; Tue,  4 Feb 2003 16:42:55 -0800 (PST)
Received: from feedback.avantgo.com (shadow.avantgo.com [64.157.226.66])
	by mx1.FreeBSD.org (Postfix) with SMTP id 583FF43E4A
	for <net@FreeBSD.org>; Tue,  4 Feb 2003 16:42:55 -0800 (PST)
	(envelope-from scott@avantgo.com)
Received: (qmail 52268 invoked from network); 4 Feb 2003 16:33:25 -0000
Received: from river.avantgo.com (10.11.30.114)
  by feedback.avantgo.com with SMTP; 4 Feb 2003 16:33:25 -0000
Date: Tue, 4 Feb 2003 16:31:14 -0800 (PST)
From: Scott Hess <scott@avantgo.com>
To: net@FreeBSD.org
Subject: Re: Does natd(8) really need to see _all_ packets?
In-Reply-To: <200302041903.03437.mi+mx@aldan.algebra.com>
Message-ID: <Pine.LNX.4.44.0302041624460.22490-100000@river.avantgo.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Tue, 4 Feb 2003, Mikhail Teterin wrote:
> On Tuesday 04 February 2003 06:44 pm, Wes Peters wrote:
> = On Tue, 2003-02-04 at 08:42, Mikhail Teterin wrote:
> = > Using two cards, were one works fine is against aesthetics :-)
> = > That's my primary reason, although there are only two slots left in
> = > the machine, indeed.
>  
> = OK, that's a completely acceptable answer, but I suspect we're going
> = to differ strongly on the finer points of "works fine."
> 
> The primary point is to provide the NAT service. A "REAL" firewall has
> to be a separate machine with readonly disks and what not. The
> appartment is not that big :-) "Works fine".

To my mind, a "REAL" firewall needs to sit between the internal and
external LAN segments.  Any box which doesn't occupy that position is not
a firewall, real or otherwise, because packets can go around it.

I used to run a NAT service of the type you describe, for the reasons you
describe.  This was back when Ethernet cards weren't essentially free in
my neighborhood :-).  But, eventually I decided that a firewall box which
also runs services (email, http, etc) but which provides the only means
for the packets to get from the external to internal Ethernet segments was
better than nothing.  Maybe someone could/would leverage an Apache exploit
into root access on the firewall, and thence to full access to the
internal net, but at least that provides _some_ bar they have to jump
over!

Later,
scott


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message