From owner-freebsd-net Mon May 31 17:25: 0 1999 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.on.home.com (ha1.rdc1.on.wave.home.com [24.2.9.66]) by hub.freebsd.org (Postfix) with ESMTP id A016314DDE for ; Mon, 31 May 1999 17:24:58 -0700 (PDT) (envelope-from svetzal@icom.ca) Received: from blazer ([24.112.98.34]) by mail.rdc1.on.home.com (InterMail v4.01.01.00 201-229-111) with SMTP id <19990601002457.GRHG23601.mail.rdc1.on.home.com@blazer>; Mon, 31 May 1999 17:24:57 -0700 From: "Steven Vetzal" To: "'Jim Cassata'" , Subject: RE: natd question Date: Mon, 31 May 1999 20:28:47 -0400 Message-ID: <000501beabc5$b6f0e460$7ffea8c0@blazer.pr1.on.wave.home.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I tend to disagree with Jim's comment on "unroutable IPs" being no risk. They're no risk if you're positive the _other_ side of your link is clean, but there are far too many mismanaged routers out there that don't have unroutable ranges blocked, and if you're really paranoid, how do you know the router you're talking to hasn't been compromised and is handing you packets disguised as your own? Everything not in your control is suspect, and even all things you _think_ are in your control should be considered suspect. I agree with Luigi's (forgive me) paranoid approach... Steve -----Original Message----- From: owner-freebsd-net@FreeBSD.ORG [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Jim Cassata Sent: May 31, 1999 2:02 PM To: net@FreeBSD.ORG Subject: Re: natd question > yes, i already did that, and in fact at least natd only sees useful > pkts now. However there is still a couple of useless passes through the > firewall code (once a pkt is diverted, you know what to do with it, no > need to do further analysis), plus having forwarding enabled makes > me feel a bit uncomfortable... > IP forwarding is no risk when you are running "unroutable IPs" on the private side. Jim Cassata 516.421.6000 jim@web-ex.com Web Express 20 Broadhollow Road Suite 3011 Melville, NY 11747 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message