Re: Performance improvement for NAT in IPFIREWALL
From: Barney Wolff (barney_at_databus.com)
Date: 07/02/03
- Previous message: Michael Sierchio: "Re: Performance improvement for NAT in IPFIREWALL"
- In reply to: Michael Sierchio: "Re: Performance improvement for NAT in IPFIREWALL"
- Next in thread: Michael Sierchio: "Re: Performance improvement for NAT in IPFIREWALL"
- Reply: Michael Sierchio: "Re: Performance improvement for NAT in IPFIREWALL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 2 Jul 2003 14:55:38 -0400 To: Michael Sierchio <kudzu@tenebras.com>
On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote:
> >NAT is not a security feature,
>
> Many would disagree with that assertion.
They would be wrong. Find a real security expert and ask.
...
> >But moving NAT into the kernel has great impact on kernel memory usage,
> >which needs much more care than in user space. NATs can be DoS'd,
> >and running out of kernel memory can be fatal.
>
> Stateful packet filters can be DoS'd.
Yes, but it's not necessary to keep state for connections from outside in,
only from inside out. If you have an enemy inside, nothing will help you.
-- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Michael Sierchio: "Re: Performance improvement for NAT in IPFIREWALL"
- In reply to: Michael Sierchio: "Re: Performance improvement for NAT in IPFIREWALL"
- Next in thread: Michael Sierchio: "Re: Performance improvement for NAT in IPFIREWALL"
- Reply: Michael Sierchio: "Re: Performance improvement for NAT in IPFIREWALL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
