Performance improvement for NAT in IPFIREWALL
Michael Sierchio
kudzu at tenebras.com
Wed Jul 2 14:33:20 PDT 2003
Barney Wolff wrote:
> On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote:
>
>>>NAT is not a security feature,
>>
>>Many would disagree with that assertion.
>
> They would be wrong. Find a real security expert and ask.
Clearly that would not be you. Both static and dynamic (or "hide")
nat have security functions.
> Yes, but it's not necessary to keep state for connections from outside in,
> only from inside out. If you have an enemy inside, nothing will help you.
Actually, you're quite mistaken. There are reasons for maintaining
state for VPN and other connections that are unrelated to public
services. And it's probably better to exhaust mbufs at the perimeter
than the interior...
More information about the freebsd-ipfw
mailing list