Performance improvement for NAT in IPFIREWALL
Barney Wolff
barney at databus.com
Wed Jul 2 11:55:40 PDT 2003
On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote:
> >NAT is not a security feature,
>
> Many would disagree with that assertion.
They would be wrong. Find a real security expert and ask.
...
> >But moving NAT into the kernel has great impact on kernel memory usage,
> >which needs much more care than in user space. NATs can be DoS'd,
> >and running out of kernel memory can be fatal.
>
> Stateful packet filters can be DoS'd.
Yes, but it's not necessary to keep state for connections from outside in,
only from inside out. If you have an enemy inside, nothing will help you.
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
More information about the freebsd-ipfw
mailing list