Date: Wed, 02 Jul 2003 14:33:13 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: freebsd-ipfw@freebsd.org Cc: freebsd-net@freebsd.org Subject: Re: Performance improvement for NAT in IPFIREWALL Message-ID: <3F034F99.2080607@tenebras.com> In-Reply-To: <20030702185538.GA4555@pit.databus.com> References: <3F0316DE.3040301@tenebras.com> <20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com> <20030702185538.GA4555@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Barney Wolff wrote: > On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote: > >>>NAT is not a security feature, >> >>Many would disagree with that assertion. > > They would be wrong. Find a real security expert and ask. Clearly that would not be you. Both static and dynamic (or "hide") nat have security functions. > Yes, but it's not necessary to keep state for connections from outside in, > only from inside out. If you have an enemy inside, nothing will help you. Actually, you're quite mistaken. There are reasons for maintaining state for VPN and other connections that are unrelated to public services. And it's probably better to exhaust mbufs at the perimeter than the interior...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F034F99.2080607>