Date: Wed, 02 Jul 2003 16:42:38 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-net@freebsd.org Subject: Re: Performance improvement for NAT in IPFIREWALL Message-ID: <3F036DEE.8010408@tenebras.com> In-Reply-To: <3F036571.8030609@mac.com> References: <3F0316DE.3040301@tenebras.com> <20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com> <3F0331EE.6020707@mac.com> <3F0350C7.7010009@tenebras.com> <3F036571.8030609@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger wrote: > To the extent that "security" is a matter of opinion, I guess that's all > right: I'm not concerned if other people have different opinions than I do. Security is an ill-defined concept. I prefer to think in terms of mitigating risk. In any case, deny_incoming offers some extra measure of security. > By itself, NAT provides no benefit to security, and some implementations > actually reduce the security of the system compared with not running > NAT. Sure, some implementations do. natd(8) was the first NAT daemon AFAIK to correctly handle the problem of rewriting the included IP header in ICMP error messages from nat'd hosts. > Let me pull out a couple of quotes from various people: You were better off when invoking "science" -- now you're invoking the mob ;-) > "Since NAT actually adds no security, You're of the school that sez "what I tell you three times is true?"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F036DEE.8010408>