Mark Olbert wrote:
My question is this: are there any significant downsides (particularlysecurity downsides) to doing 1:1 NAT as opposed to Proxy ARP?
No. Both depend on routing -- they just use different tricks to make routing work. My objection to NAT is that it can confuse your servers as to their true identity and can make you use split DNS or hacks like described in Shorewall FAQ 2.
I'm ignoring DNAT, perhaps inappropriately, because I think it would be hard to get RPC over HTTP to work using DNAT.
1:1 NAT is equivalent to a DNAT- rule coupled with a corresponding entry in /etc/shorewall/masq. It isn't magic.
I didn't go the Proxy ARP route because (a) 1:1 NAT struck me as simpler (two config file entries and I'm done) and (b) because I have to have the Exchange server available to clients behind the firewall I'd have to multihome the Windows box (i.e., give it both a valid external IPv4 address and a valid LAN-local IPv4 address), and I wasn't sure how Exchange would react to that.
If you have an internet-exposed machine behind the firewall with other client systems, then if the server gets hacked there is nothing between the hacked server and those other systems.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
