Chuck Swiger wrote:[ ... ]
Security is an ill-defined concept. I prefer to think in terms of mitigating risk.
Sure, that works for me.
In any case, deny_incoming offers some extra measure of security.
Does it? Serious question, as none of the connections deny_incoming may block would be permitted in the absence of natd and the divert socket, or ipf/ipnat, if you prefer. From "man natd":
If you specify real firewall rules, it is best to specify line 2 at
the start of the script so that natd sees all packets before they
are dropped by the firewall.Wrong order, if you prioritize security-- you worry about NAT'ing traffic that is permitted by the security policy and firewall rules. Most people implementing NAT who follow this advice effectively circumvent egress filtering that may have otherwise applied.
[ ... ]
Let me pull out a couple of quotes from various people:
You were better off when invoking "science" -- now you're invoking the mob ;-)
If I quoted the opinions of a bunch of chemists about the relative security, or lack thereof, of NAT-- it would be entirely valid to criticise the relevance or expertise those people have with regard to the subject. :-)
However, if one were to ask these chemists about acid-base titration, solutions chemistry, and the like, their responses would not be "mere opinion" or "invoking the mob". Their comments would be that of professionals discussing their chosen field, and include real-world observational data from experiments they themselves have performed.
"Since NAT actually adds no security,
You're of the school that sez "what I tell you three times is true?"
It worked for Dorothy, right? :-)
-- -Chuck
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
