To the extent that "security" is a matter of opinion, I guess that's all right: I'm not concerned if other people have different opinions than I do.
Security is an ill-defined concept. I prefer to think in terms of mitigating risk.
In any case, deny_incoming offers some extra measure of security.
By itself, NAT provides no benefit to security, and some implementations actually reduce the security of the system compared with not running NAT.
Sure, some implementations do. natd(8) was the first NAT daemon AFAIK to correctly handle the problem of rewriting the included IP header in ICMP error messages from nat'd hosts.
Let me pull out a couple of quotes from various people:
You were better off when invoking "science" -- now you're invoking the mob ;-)
"Since NAT actually adds no security,
You're of the school that sez "what I tell you three times is true?"
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
