Michael Sierchio wrote:
>
> Eugene Grosbein wrote:
>
> > Then, if prioritized packed arrives when FIFO is not empty,
> > it will not be allowed to go out before packets without ipprecedence
> > that are already in FIFO. That's bad.
>
> That's not quite right. The prioritized packet will presuma
On Thu, 3 Jul 2003, Clement Laforet wrote:
> Hi,
>
> On Wed, 2 Jul 2003 18:39:42 -0500 (CDT)
> Mike Silbersack <[EMAIL PROTECTED]> wrote:
>
> > > Comments? Suggestions? Vision?
> >
> > If you have some time to throw at the problem, you might consider
> > using gprof on natd in order to determ
Mike Silbersack wrote:
[ ... ]
Please explain this point more.
Say I have 1000 win 9x boxes connected to the internet with routable IPs
and no firewall. How will placing them behind a NAT box make them less
secure?
"man natd" suggests that you've just enabled IP spoofing for the LAN:
Y
Michael Sierchio wrote:
Chuck Swiger wrote:
[ ... ]
Security is an ill-defined concept. I prefer to think in terms
of mitigating risk.
Sure, that works for me.
In any case, deny_incoming offers some extra measure of security.
Does it? Serious question, as none of the connections deny_incoming ma
On Wed, 2 Jul 2003, Chuck Swiger wrote:
> By itself, NAT provides no benefit to security, and some implementations
> actually reduce the security of the system compared with not running NAT. Let
> me pull out a couple of quotes from various people:
Please explain this point more.
Say I have 10
Chuck Swiger wrote:
To the extent that "security" is a matter of opinion, I guess that's all
right: I'm not concerned if other people have different opinions than I do.
Security is an ill-defined concept. I prefer to think in terms
of mitigating risk.
In any case, deny_incoming offers some extra
On Wed, Jul 02, 2003 at 07:06:25PM -0400, Chuck Swiger wrote:
[...]
> By itself, NAT provides no benefit to security, and some implementations
> actually reduce the security of the system compared with not running NAT.
>
Our natd(8) contributes to security somewhat, by providing the
-deny_incom
Michael Sierchio wrote:
> Chuck Swiger wrote:
>
> >Many people are wrong, then. NAT is not a security feature.
>
> We simply disagree.
Puh-leaze. Not this discussion again. Can we stay on topic please?
--
Dean C. Strik Eindhoven University of Technology
[EMAIL PROTECTED] | [EMAI
Michael Sierchio wrote:
Chuck Swiger wrote:
Many people are wrong, then. NAT is not a security feature.
We simply disagree.
To the extent that "security" is a matter of opinion, I guess that's all right:
I'm not concerned if other people have different opinions than I do.
To the extent that secu
Hi,
On Wed, 2 Jul 2003 18:39:42 -0500 (CDT)
Mike Silbersack <[EMAIL PROTECTED]> wrote:
> > Comments? Suggestions? Vision?
>
> If you have some time to throw at the problem, you might consider
> using gprof on natd in order to determine what exactly about natd is
> slow. As is commonly mentioned
On Wed, 2 Jul 2003, Michael Sierchio wrote:
> Currently, performance w/divert sockets and natd in ipfirewall
> on a compute-bound platform (ELAN-133MHz) shows ipfw+natd throughput
> to be 50% of that offered by ipfilter+ipnat.
>
> Is there anything that can be done to speed up either the
> perfor
Chuck Swiger wrote:
Many people are wrong, then. NAT is not a security feature.
We simply disagree.
[ NAT sucks. In a very useful way, of course. Exogenous requirements
may impose unreasonable constraints upon implementing the technically
preferrable solution, just as "inept excess verbiage
Barney Wolff wrote:
On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote:
NAT is not a security feature,
Many would disagree with that assertion.
They would be wrong. Find a real security expert and ask.
Clearly that would not be you. Both static and dynamic (or "hide")
nat have secu
On Wed, Jul 02, 2003 at 01:11:01PM -0700, Patrick Verkaik wrote:
>
> Does FreeBSD support multiple routing tables? If not, is any work being
> done in this area? From what I can find, it seems that Linux has this.
>
> The reason I'm asking is that I'd like to simulate a number of BGP routers
> o
Does FreeBSD support multiple routing tables? If not, is any work being
done in this area? From what I can find, it seems that Linux has this.
The reason I'm asking is that I'd like to simulate a number of BGP routers
on one box.
Thanks,
Patrick
_
Michael Sierchio wrote:
Barney Wolff wrote:
NAT is not a security feature,
Many would disagree with that assertion.
Many people are wrong, then. NAT is not a security feature.
Check the list archives of <[EMAIL PROTECTED]>...
[ ... ]
If you believe you need to NAT at even 1Gb, I'd look
very hard
On Wed, Jul 02, 2003 at 11:44:14AM -0700, Michael Sierchio wrote:
> >NAT is not a security feature,
>
> Many would disagree with that assertion.
They would be wrong. Find a real security expert and ask.
...
> >But moving NAT into the kernel has great impact on kernel memory usage,
> >which ne
Barney Wolff wrote:
NAT is not a security feature,
Many would disagree with that assertion.
and should be used only where it is
actually necessary to translate addresses, and as far towards the edge
as possible.
This is typically where firewalls are found.
If you believe you need to NAT at even
On Wed, Jul 02, 2003 at 10:31:10AM -0700, Michael Sierchio wrote:
>
> Currently, performance w/divert sockets and natd in ipfirewall
> on a compute-bound platform (ELAN-133MHz) shows ipfw+natd throughput
> to be 50% of that offered by ipfilter+ipnat.
>
> Is there anything that can be done to spee
On Wed, Jul 02, 2003 at 01:38:57PM +0200, jonas linden wrote:
> I've set up a new firewall using freebsd 4.8. I'm
> using ipfw with natd to do port mapping. Everything
> worked fine while being on my test network. When I
> moved the firewall to the real place I changed the
> outer NICs IP nr. When
Currently, performance w/divert sockets and natd in ipfirewall
on a compute-bound platform (ELAN-133MHz) shows ipfw+natd throughput
to be 50% of that offered by ipfilter+ipnat.
Is there anything that can be done to speed up either the
performance of divert and natd? Alternatively, could network
ad
Eugene Grosbein wrote:
Then, if prioritized packed arrives when FIFO is not empty,
it will not be allowed to go out before packets without ipprecedence
that are already in FIFO. That's bad.
That's not quite right. The prioritized packet will presumably be
handled by a different (dummynet) queue,
On Wed, Jul 02, 2003 at 09:18:48AM -0700, Luigi Rizzo wrote:
> > > It seems to me you could use dummynet/ipfw2 to provide a
> > > stronge PREFERENCE for packets w/non-zero precedence --
> ...
> > And what bandwidth of pipe should I use?
> > Note that I do not need traffic shaping,
> > I need to re
> It seems to me you could use dummynet/ipfw2 to provide a
> stronge PREFERENCE for packets w/non-zero precedence --
Well, I see now that FreeBSD has very simple and unmanaged
interface queues, these are FIFO queues.
So if I create dummynet queue and assign better weight
to IP packets with ippre
On Wed, Jul 02, 2003 at 11:54:42PM +0800, Eugene Grosbein wrote:
> > It seems to me you could use dummynet/ipfw2 to provide a
> > stronge PREFERENCE for packets w/non-zero precedence --
...
> And what bandwidth of pipe should I use?
> Note that I do not need traffic shaping,
> I need to rearrange q
> It seems to me you could use dummynet/ipfw2 to provide a
> stronge PREFERENCE for packets w/non-zero precedence --
> the fairness aspect of dummynet queues works against your
> stated aim, but probabilistically you could pass all
> such packets ahead of others. The fairness guarantee
> means th
Eugene Grosbein wrote:
Suppose, we have a router running FreeBSD 4.8-STABLE.
Some of transit IP-packets have non-zero IP Precedence.
Is it possible to set up the router to rearrange interface queues
so that such packets are sent first?
It seems to me you could use dummynet/ipfw2 to provide a
stron
Hi!
Suppose, we have a router running FreeBSD 4.8-STABLE.
Some of transit IP-packets have non-zero IP Precedence.
Is it possible to set up the router to rearrange interface queues
so that such packets are sent first?
Eugene
___
[EMAIL PROTECTED] mailing
Hi!
I've set up a new firewall using freebsd 4.8. I'm
using ipfw with natd to do port mapping. Everything
worked fine while being on my test network. When I
moved the firewall to the real place I changed the
outer NICs IP nr. When I did this the port mapping
stopped working.
Status:
* There are
The short answer is no, you can't, in_pcb turns 255.255.255.255 into
the "primary" interface's broadcast address.
I doubt this is actually useful behavior, but that's not what you
asked =)
Bill
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.
30 matches
Mail list logo
