Performance improvement for NAT in IPFIREWALL

[Chuck Swiger]

Mike Silbersack wrote:
[ ... ]
> Please explain this point more.
> 
> Say I have 1000 win 9x boxes connected to the internet with routable IPs
> and no firewall.  How will placing them behind a NAT box make them less
> secure?

"man natd" suggests that you've just enabled IP spoofing for the LAN:

           You should be aware of the fact that, with these firewall settings,
           everyone on your local network can fake his source-address using
           your host as gateway.  If there are other hosts on your local net-
           work, you are strongly encouraged to create firewall rules that only
           allow traffic to and from trusted hosts.

People using NAT tend to permit arbitrary outbound connections from clients 
rather than, for example, mandating that all permitted client connections go 
through a designated and monitored proxy.  The placement of the divert rule 
early on tends to circumvent egress filtering.

However, I would suggest that my point has less to do with whether NAT can 
reduce the security of a completely open network with no firewall any further 
(although there are ways that it could), and more to do with whether the 
combination of firewall+NAT is particularly safe and secure compared with 
firewall-without-NAT.  At the very least, using NAT on the firewall increases 
the scope and potential of denial-of-service attacks to exhaust kernel memory or 
sockets (if use_sockets is set).

-- 
-Chuck

PS: But I also saw comments from Ruslan and Dean, and I'm willing to let this 
issue lapse rather than prolong a debate that people don't think is on-topic.