Performance improvement for NAT in IPFIREWALL

[Chuck Swiger]

Michael Sierchio wrote:
> Chuck Swiger wrote:
[ ... ]
> Security is an ill-defined concept.  I prefer to think in terms
> of mitigating risk.

Sure, that works for me.

> In any case, deny_incoming offers some extra measure of security.

Does it?  Serious question, as none of the connections deny_incoming may block 
would be permitted in the absence of natd and the divert socket, or ipf/ipnat, 
if you prefer.  From "man natd":

           If you specify real firewall rules, it is best to specify line 2 at
           the start of the script so that natd sees all packets before they
           are dropped by the firewall.

Wrong order, if you prioritize security-- you worry about NAT'ing traffic that 
is permitted by the security policy and firewall rules.  Most people 
implementing NAT who follow this advice effectively circumvent egress filtering 
that may have otherwise applied.

[ ... ]
>> Let me pull out a couple of quotes from various people:
> 
> You were better off when invoking "science" -- now you're
> invoking the mob ;-)

If I quoted the opinions of a bunch of chemists about the relative security, or 
lack thereof, of NAT-- it would be entirely valid to criticise the relevance or 
expertise those people have with regard to the subject.  :-)

However, if one were to ask these chemists about acid-base titration, solutions 
chemistry, and the like, their responses would not be "mere opinion" or 
"invoking the mob".  Their comments would be that of professionals discussing 
their chosen field, and include real-world observational data from experiments 
they themselves have performed.

>> "Since NAT actually adds no security,
> 
> You're of the school that sez "what I tell you three times is true?"

It worked for Dorothy, right?  :-)

-- 
-Chuck