Re: Performance improvement for NAT in IPFIREWALL
From: Barney Wolff (barney_at_databus.com)
Date: Wed, 2 Jul 2003 14:55:38 -0400 To: Michael Sierchio <firstname.lastname@example.org>
On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote:
> >NAT is not a security feature,
> Many would disagree with that assertion.
They would be wrong. Find a real security expert and ask.
> >But moving NAT into the kernel has great impact on kernel memory usage,
> >which needs much more care than in user space. NATs can be DoS'd,
> >and running out of kernel memory can be fatal.
> Stateful packet filters can be DoS'd.
Yes, but it's not necessary to keep state for connections from outside in,
only from inside out. If you have an enemy inside, nothing will help you.
-- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "firstname.lastname@example.org"