mh (RE: OMB: IPv6 by June 2008)

Steven M. Bellovin smb at cs.columbia.edu
Thu Jul 7 20:10:28 UTC 2005


In message <20050707195433.3B5EC1862 at testbed9.merit.edu>, "Tony Hain" writes:
>
>Mangling the header did not prevent the worms, lack of state did that. A
>stateful filter that doesn't need to mangle the packet header is frequently
>called a firewall (yes some firewalls still do, but that is by choice). 
>

Absolutely correct.  Real firewalls pass inbound traffic because a 
state table entry exists.  NATs do the same thing, with nasty 
side-effects.  There is no added security from the header-mangling.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb





More information about the NANOG mailing list