From: Nick Drage <nickd@metastasis.org.uk>
To: netfilter@lists.netfilter.org
Subject: Re: DMZ Setup Question
Date: Tue, 6 Dec 2005 13:04:22 +0000 [thread overview]
Message-ID: <20051206130422.GC21572@metastasis.org.uk> (raw)
In-Reply-To: <1133367720.22295.45.camel@syslinux.marketlinksolutions.net>
On Wed, Nov 30, 2005 at 11:22:00 -0500, Jay Zorzi wrote:
Left in for context....
> My colleague and i are having a disagreement about our network firewall
> and routing policies. First the setup information.
> We have a Bridge Router running iptables and ebtables as our external
> firewall. Behind that we have a DMZ that contains machines with valid
> external addresses. Between the DMZ and our internal network there is
> another firewall. Our choke firewall. The choke firewall is doing NAT
> in order for our internal network to surf the Internet but for our DMZ
> machines to talk to our internal machines we are just using routing, no
> NAT.
Onwards....
> Now here is the disagreement. Because the internal machines are using
> a private network address my colleague is concerned that we are
> violating Internet rules/etiquette by having this internal private
> ip's routing to our DMZ machines that have valid Internet IP's.
Not at all. It may technically be against an RFC but you're not
affecting anyone's routing tables using this method so it's not a
problem. I've seen large ISPs use such internal address ranges on their
networks before so I wouldn't worry.
> He is also suggesting that using nat is more secure.
It is, sort of. Without NAT if someone compromised a DMZ box and
somehow your choke firewall permitted inbound connections then the
attacker couuld have a go at your internal hosts from the compromised
host.
If you used NAT it would mean someone could compromise a box in the DMZ
and still not get to your internal hosts, unless you specifically
forwarded inbound connections to a port on the external interface of the
choke firewall to an internal host.
So without NAT you have to do something dumb to be vulnerable, with NAT
you have to do something dumber. Seeing as things work at the moment
I'd be very tempted to leave things as they are.
> Can someone help us settle this disagreement?
Hope the above helps :)
--
deviants are sacrificed to increase group solidarity
Jenny Solzer
next prev parent reply other threads:[~2005-12-06 13:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-30 16:22 DMZ Setup Question Jay Zorzi
2005-12-06 13:04 ` Nick Drage [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-11-30 18:32 Derick Anderson
2005-11-30 19:51 ` /dev/rob0
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051206130422.GC21572@metastasis.org.uk \
--to=nickd@metastasis.org.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.