Performance improvement for NAT in IPFIREWALL
Michael Sierchio
kudzu at tenebras.com
Wed Jul 2 16:42:48 PDT 2003
Chuck Swiger wrote:
> To the extent that "security" is a matter of opinion, I guess that's all
> right: I'm not concerned if other people have different opinions than I do.
Security is an ill-defined concept. I prefer to think in terms
of mitigating risk.
In any case, deny_incoming offers some extra measure of security.
> By itself, NAT provides no benefit to security, and some implementations
> actually reduce the security of the system compared with not running
> NAT.
Sure, some implementations do. natd(8) was the first NAT daemon AFAIK
to correctly handle the problem of rewriting the included IP header
in ICMP error messages from nat'd hosts.
> Let me pull out a couple of quotes from various people:
You were better off when invoking "science" -- now you're
invoking the mob ;-)
> "Since NAT actually adds no security,
You're of the school that sez "what I tell you three times is true?"
More information about the freebsd-ipfw
mailing list