7 Jul
2005
7 Jul
'05
4:10 p.m.
In message <20050707195433.3B5EC1862@testbed9.merit.edu>, "Tony Hain" writes:
Mangling the header did not prevent the worms, lack of state did that. A stateful filter that doesn't need to mangle the packet header is frequently called a firewall (yes some firewalls still do, but that is by choice).
Absolutely correct. Real firewalls pass inbound traffic because a state table entry exists. NATs do the same thing, with nasty side-effects. There is no added security from the header-mangling. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb