• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

one-to-one NAT mapping

jungle

jungle

Senior member
what pros/cons would you have if you had one<-->one nat mapping for your servers ie:

web.server 192.168.1.5<-->216.191.221.51
mail.server 192.168.1.6<-->216.191.221.60

so the firewall is doing NAT with one to one mapping...there for your servers are useable over the net, but they have private ip's because the firewall has the real ip addy and is forwarding the requests. so my question is what would be the difference of just letting the servers have a real addres but yet behind a fire wall.
 
The only problem I would foresee is when you're trying to do stuff that requires the external IP to be known. I was just talking on another thread with a guy using IIS ftp server, and he couldn't get passive mode to work because IIS won't allow you to "masquerade" as the external IP. For the most part you shouldn't have any problems, but I thought of that example in particular.
 
Well, security is the primary reason you have a firewall - If you place your webservers outside the firewall, you could easily be in a world of hurt. You could also use a firewall without NAT and allow only Port 80 traffic. Not quite as good of security, but still effective.

- G
 
That is actually a very good way of doing things. Im not sure why exactly, but I see it a lot. I like it because the webserver doesnt sit on the outside, it doesnt have a real ip so the only traffic that could go to it (easily) would be the traffic you let go to it. If sshd was out of date and vulnerable, it wouldnt cause many problems because no one could easily route to that server on port 22. If it had an external ip, and there was also a flaw in the firewall getting to that machine on port 22 would be much easier.
 
Putting the servers behind a firewall only exposes the specific ports that you make available, if you drop the machines on the open Internet, EVERY POSSIBLE exploit is available to the attacker, all ports, all services.

If you "locked down" the machine (a major P.I.T.A.), you're a little safer, but with rare exception (like some of the BSD releases), there's always a few weaknesses.

Using the firewall doesn't make it 100% bulletproof, but it greatly reduces the number of possible attacks/exploits available to the would-be hacker.

FWIW

Scott
 
Don't put your web server behind the firewall in the same network as the rest of your LAN. Uses a DMZ for the web & mail server if it is to have access from the outside world, because port 80 known to have exploit where hacker can worm themself to the rest of your network if they are in the same LAN.
 
let me refrase this a little bit...i think some of you have misread what i ment....

the question is what are the pros and cons of running a web/mail server using one-to-one NAT mappings in addition to being behind a firewall. so you have the protection of the firewall and the advantage of not having a real ip addy.
 


<< let me refrase this a little bit...i think some of you have misread what i ment....

the question is what are the pros and cons of running a web/mail server using one-to-one NAT mappings in addition to being behind a firewall. so you have the protection of the firewall and the advantage of not having a real ip addy. >>



Thats what I thought you meant. of course my post probably made little sense 😛
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top