North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: mh (RE: OMB: IPv6 by June 2008)
In message <[email protected]>, "Tony Hain" writes: > >Mangling the header did not prevent the worms, lack of state did that. A >stateful filter that doesn't need to mangle the packet header is frequently >called a firewall (yes some firewalls still do, but that is by choice). > Absolutely correct. Real firewalls pass inbound traffic because a state table entry exists. NATs do the same thing, with nasty side-effects. There is no added security from the header-mangling. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
|