On Thu, Oct 11, 2001 at 09:22:18PM +0200, Pacifi3r wrote:
> One question springs to mind when I read all these discussions, where would
> you do your NATing and why.

NAT is a necessary evil. It is preferable, from a networking point of view,
to maintain the end-to-end principle. If you use NAT as a form of security
you are deluding yourself. It was not designed as such, it was designed as a
kludge for those who were not going to connect their networks to the
Internet, or who could not get enough address space.

> I would think that doing one-to-one NAT on the external firewall for all the
> hosts in the DMZ would and then doing hide NAT for all the address that are
> behind the internal firewall, including the internal firewall.

With my above comments in mind, I would only do NATting for the internal
hosts. And I would to that at the outer firewall. This maintains the
end-to-end principle from Internet hosts to my DMZ hosts, as well as from
my DMZ hosts to my DMZ hosts. Less likely to break protocols that way.

+---
| Jason Murray, jmurray at computer dot org
+---
| One, two! One, two! And through and through
| The vorpal blade went snicker-snack!
| He left it dead, and with its head
| He went galumphing back.
+--- from Jabberwocky, Lewis Carroll

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]