[Coldstuff] IP Masq / forwarding
Brad Roberts
coldstuff@cold.org
Wed, 20 Feb 2002 12:30:44 -0800 (PST)
On Wed, 20 Feb 2002, Brandon Gillespie wrote:
> On Wed, Feb 20, 2002 at 11:19:31AM -0800, Jonathan Robertson wrote:
> > I am going to be toying around with the idea of using
> > ip masq and forwarding to hide my server behind
> > another firewall. Has anyone else already done this?
> > Comments or suggestions from anyone?
>
> Please correct me if I'm wrong, but isn't linux's IP masquerading just
> PAT/NAT? If so, its not really appropriate for a server (inbound) and
> was originally designed to hide a network behind a single IP address
> (outbound). While you can manage inbound on a port by port basis to a
> server... why would you in this situation? It would work, but you
> dont get much value and you do get more complexity...
>
> -Brandon
Appropriate is very much in the eye of the beholder. Hiding a box behind
NAT and doing port forwarding can often be a big advantage.
- You gain a reasonable measure of security by having only specifically
forwarded ports accessible on the internal machine.
- You gain device independence by not having the public network aware of
the actual address of the box being forwarded to.
- With NAT engine a little more powerful than the current Linux
implementation (well, I don't know for a fact that linux's can't do this,
but I'm not sure it can either) you could even do load balancing across
multiple boxes from a central NAT point. Granted, this wouldn't be a good
thing for a mud.
- Lastly, hardening a single box that's doing the NAT work can be a lot
easier than hardening every machine behind it. With only a few known
ports getting through to a few very well defined machines, the network
behind the NAT point can afford to be less hardened.
Later,
Brad