From owner-freebsd-ipfw@FreeBSD.ORG  Wed Jul  2 16:42:48 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F0DFC37B404
	for <freebsd-ipfw@freebsd.org>; Wed,  2 Jul 2003 16:42:47 -0700 (PDT)
Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18])
	by mx1.FreeBSD.org (Postfix) with SMTP id 1EFAB43FFB
	for <freebsd-ipfw@freebsd.org>; Wed,  2 Jul 2003 16:42:47 -0700 (PDT)
	(envelope-from kudzu@tenebras.com)
Received: (qmail 22638 invoked from network); 2 Jul 2003 23:42:46 -0000
Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241)
  by 0 with SMTP; 2 Jul 2003 23:42:46 -0000
Message-ID: <3F036DEE.8010408@tenebras.com>
Date: Wed, 02 Jul 2003 16:42:38 -0700
From: Michael Sierchio <kudzu@tenebras.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425
X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de
MIME-Version: 1.0
To: Chuck Swiger <cswiger@mac.com>
References: <3F0316DE.3040301@tenebras.com>
	<20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com>
	<3F0331EE.6020707@mac.com> <3F0350C7.7010009@tenebras.com>
	<3F036571.8030609@mac.com>
In-Reply-To: <3F036571.8030609@mac.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-ipfw@freebsd.org
cc: freebsd-net@freebsd.org
Subject: Re: Performance improvement for NAT in IPFIREWALL
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jul 2003 23:42:48 -0000

Chuck Swiger wrote:

> To the extent that "security" is a matter of opinion, I guess that's all 
> right: I'm not concerned if other people have different opinions than I do.

Security is an ill-defined concept.  I prefer to think in terms
of mitigating risk.

In any case, deny_incoming offers some extra measure of security.

> By itself, NAT provides no benefit to security, and some implementations 
> actually reduce the security of the system compared with not running 
> NAT. 

Sure, some implementations do.  natd(8) was the first NAT daemon AFAIK
to correctly handle the problem of rewriting the included IP header
in ICMP error messages from nat'd hosts.

> Let me pull out a couple of quotes from various people:

You were better off when invoking "science" -- now you're
invoking the mob ;-)

> "Since NAT actually adds no security,

You're of the school that sez "what I tell you three times is true?"