On Dec 22, 2007 2:22 AM, Paolo Gentili <[EMAIL PROTECTED]> wrote: > Anyway i still have some little doubts on implementing a DMZ containing all > the servers, behind NAT. > This because i don't know how pfsense's NAT implementation can handle the > new internet applications/protocols > like AJAX or WEB-SERVICES
This is simple HTTP on port 80 (or wherever your web server lives). Nothing new other than it's use of the existing TCP port for transit here. What might be useful is describing how your previous firewall was going to handle this. > or others that could make use of mechanisms like dynamic allocation of port. That could cause you problems potentially. But would be no different in any other firewall that didn't already understand your protocol. I regularly force vendors to redesign their applications to not use dynamic ports at work, it's a stupid design and really, there's zero reason to do it (other than sheer laziness on the developers side - or pissy legacy reasons when it comes to FTP, which is still not a good excuse IMO). > Don't you think pfsense (actually NAT) can suffer this? 1:1 NAT (if you have enough IP space) and then it's just rules you have to add. Inbound, I don't expect you'll run into many of these. Most applications you are likely to run on your server will stick to a single inbound port. --Bill
