Owen O' Shaughnessy wrote:
> Conall O'Brien wrote:
>>>> I don't intend ever going back to using NAT, since I like being able
>> to setup aa random machine I'm using for something so I can ssh into
>> it externally.
>>>> All the linux firewalling howto's suggest that routing firewalls are
> evil, and that you should proxy all your protocols. Doesn't that just
> fly in the face of the general consensus being offered here by you and
> others?
Hy Owen,
I would say this highly depends on the circumstances:
* If this is home user with just 1-3 users (a family), non tech:
NAT is "ok", as most broadband routers are configured that way by ISPs
and the non-tech people should better stick with this.
* if you are a small business and/or technically skilled:
Implement at least one DMZ for publicly accessible services (public IPs)
and:
NAT the internal IPs
or
route (with firewall) the public IPs
[[needs more tech knowledge if done correctly]]
* if you are big business:
you have multiple DMZs with public IPs:
- for incoming connections (server)
- for outgoing connections (via application gateways)
- for site-2-site connections
...
So all suggestions are valid, yet using NAT appeals to the
less experienced/easy living users as they usually do not
have to troubleshoot.
And:
***NEVER allow any connections back in through NAT***
(Like lots of ISP routers allow...
.. but these are usually switched off -> there is a reason for this!)
Regards,
Achim Dreyer
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
