Date: Wed, 2 Jul 2003 14:55:38 -0400 From: Barney Wolff <barney@databus.com> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-net@freebsd.org Subject: Re: Performance improvement for NAT in IPFIREWALL Message-ID: <20030702185538.GA4555@pit.databus.com> In-Reply-To: <3F0327FE.3030609@tenebras.com> References: <3F0316DE.3040301@tenebras.com> <20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote: > >NAT is not a security feature, > > Many would disagree with that assertion. They would be wrong. Find a real security expert and ask. ... > >But moving NAT into the kernel has great impact on kernel memory usage, > >which needs much more care than in user space. NATs can be DoS'd, > >and running out of kernel memory can be fatal. > > Stateful packet filters can be DoS'd. Yes, but it's not necessary to keep state for connections from outside in, only from inside out. If you have an enemy inside, nothing will help you. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030702185538.GA4555>