Re: PF limit on number of natted connections ?

[Ben Goren <ben@trumpetpower.com>]

On Thu, Jun 13, 2002 at 05:22:00PM -0400, Joseph C. Bender wrote:

>       Could you clarify  what you mean by  "nearly eliminate the
>  need for NAT?"  As in route everything through proxying?

Most external use  of the 'Net is surfing  and mail. Local clients
don't need to be able to  make a direct connection for either: use
Web  proxies for  the  former,  and a  local  SMTP  relay for  the
latter. While  acknowledging exceptions,  most  of  what can't  be
proxied either shouldn't be permitted for security reasons (H.323,
for  example),  isn't   important  for  ``serious''  organizations
(games),  or can  be dealt  with by  other means  (telnet: ssh  to
perimiter computer, connect from there).

While you might  need NAT for your proxy (etc.)  servers, you very
likely don't for the vast bulk of your client machines.

> NAT as a security method is something to consider too.

Even better:  give 'em RFC 1918  addresses but don't route  or NAT
them at all.

> Besides,  if your  org  is  that large,  you  do  have (in  that
> example)  more  than  one  firewall,  redundant,  and  balancing
> traffic by subnet, right? <grin>

...and you  probaby aren't  asking these  questions on  an OpenBSD
list, either. Even if you are,  you can afford the IPs, bandwidth,
hardware, staff, training,  etc., that the answer  to the original
question still remains:  there are no limits you'll  have to worry
about that exist with NAT that don't exist otherwise.

b&

--
Ben Goren
 mailto:ben@trumpetpower.com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

[demime 0.98d removed an attachment of type application/pgp-signature]