Tom, Being a novice vis-à-vis shorewall, would you mind sharing what the equivalent rule and entry would be?
- Mark > -----Original Message----- > From: Tom Eastep [mailto:[EMAIL PROTECTED] > Sent: Monday, September 01, 2008 4:39 PM > To: [EMAIL PROTECTED]; Shorewall Users > Subject: Re: [Shorewall-users] 1:1 NAT Question > > Mark Olbert wrote: > >> My question is this: are there any significant downsides >> (particularly security downsides) to doing 1:1 NAT as opposed to Proxy ARP? > > No. Both depend on routing -- they just use different tricks to make routing > work. My objection to NAT is that it can confuse your servers as to their > true identity and can make you use split DNS or hacks like described in > Shorewall FAQ 2. > >> I'm ignoring DNAT, perhaps inappropriately, because I think it would >> be hard to get RPC over HTTP to work using DNAT. >> > > 1:1 NAT is equivalent to a DNAT- rule coupled with a corresponding > entry in /etc/shorewall/masq. It isn't magic. > > >> I didn't go the Proxy ARP route because (a) 1:1 NAT struck me as >> simpler (two config file entries and I'm done) and (b) because I have >> to have the Exchange server available to clients behind the firewall >> I'd have to multihome the Windows box (i.e., give it both a valid >> external IPv4 address and a valid LAN-local IPv4 address), and I >> wasn't sure how Exchange would react to that. > > If you have an internet-exposed machine behind the firewall with other > client systems, then if the server gets hacked there is nothing > between the hacked server and those other systems. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ [EMAIL PROTECTED] > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 3412 (20080903) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 3416 (20080904) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key __________ Information from ESET NOD32 Antivirus, version of virus signature database 3416 (20080904) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
