[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PF limit on number of natted connections ?
On Thu, Jun 13, 2002 at 05:22:00PM -0400, Joseph C. Bender wrote:
> Could you clarify what you mean by "nearly eliminate the
> need for NAT?" As in route everything through proxying?
Most external use of the 'Net is surfing and mail. Local clients
don't need to be able to make a direct connection for either: use
Web proxies for the former, and a local SMTP relay for the
latter. While acknowledging exceptions, most of what can't be
proxied either shouldn't be permitted for security reasons (H.323,
for example), isn't important for ``serious'' organizations
(games), or can be dealt with by other means (telnet: ssh to
perimiter computer, connect from there).
While you might need NAT for your proxy (etc.) servers, you very
likely don't for the vast bulk of your client machines.
> NAT as a security method is something to consider too.
Even better: give 'em RFC 1918 addresses but don't route or NAT
them at all.
> Besides, if your org is that large, you do have (in that
> example) more than one firewall, redundant, and balancing
> traffic by subnet, right? <grin>
...and you probaby aren't asking these questions on an OpenBSD
list, either. Even if you are, you can afford the IPs, bandwidth,
hardware, staff, training, etc., that the answer to the original
question still remains: there are no limits you'll have to worry
about that exist with NAT that don't exist otherwise.
[demime 0.98d removed an attachment of type application/pgp-signature]