From: Steven M Campbell <Netfilter@SCampbell.net>
To: Netfilter ML <netfilter@lists.netfilter.org>
Subject: Re: dnatting
Date: Tue, 12 Jul 2005 17:03:12 -0400 [thread overview]
Message-ID: <42D43010.3050406@SCampbell.net> (raw)
In-Reply-To: <20050712125001.GA2921@tranquility.scriptkitchen.com>
Payal Rathod wrote:
>On Tue, Jul 12, 2005 at 07:59:18AM -0400, Jason Opperisano wrote:
>
>>On Tue, Jul 12, 2005 at 03:34:07AM -0400, Payal Rathod wrote:
>>
>>>Thanks this solved it. Thanks again.
>>>Now I am curious why Jason didn't suggest this.
>>>
>>no need for curiosity--re-read the last sentence of my post.
>>
>
>I had already did that and was wondering why the solution posted is
>not agreed upon by. Why do you call it half-baked?
>Payal
>
I'll jump in :) What we have done here is natted the connections in
both directions. If you could imagine walking from your living room to
your bedroom by going out the garage and coming back in the front door
first you start to feel the sillyness of this datapath. Here's a few
issues this technique raises:
* Increased utilization of the firewall
The firewall has to handle all the traffic which would normally just be
switched internally, this makes the connection slower for the user and
may impact other users as it uses resources on the firewall. This is
also true of the network path in general, for instance: Say you put a
gigabit card into the server, if you firewall only has 100mb card then
your server really cannot use the GB card to any capacity, in fact it is
limited to whatever bandwidth is left on the firewall interface. You
spend good money on switches and network design, utilize them.
* Dependency on the firewall to reach local traffic
Turn off you firewall and your users can't reach this server!
Maintenance becomes an issue.
* Masquerading of the source computer
If you have a problem with a user it will be more fun tracking it
because the source IP address will now always appear to be the firewall
and, if this is after the fact, the connection may be long gone from the
connection table leaving you unable to trace the problem. Also, you
can't use and IP based permissions on the server as, again, everyone
will appear to be from the firewall
* Increased firewall rule complexity
Everytime another server is added in this fashion you need to maintain
firewall rules, add lots of servers and it becomes real messy really
fast. One of the keys to having a secure firewall is having clean
rules, the more cruft that gets in there the more likely a mistake will
be made creating a hole in your firewall system.
So, having put a few of these negative forth allow me to suggest an
alternative. Split DNS, with split dns you will create a name, for
example theserver.myplace.com and have a split view of it, that is,
folks on the inside will get the inside address and folks on the outside
will get the outside address. No special routing is then required and
you can use the server internally without any of the above issues. I
totally agree with Jason in suggesting that you investigate your name
server rather than doing this bi-directional NAT.
next prev parent reply other threads:[~2005-07-12 21:03 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-11 19:09 dnatting Gary W. Smith
2005-07-12 7:34 ` dnatting Payal Rathod
2005-07-12 11:59 ` dnatting Jason Opperisano
2005-07-12 12:50 ` dnatting Payal Rathod
2005-07-12 21:03 ` Steven M Campbell [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-07-13 16:28 dnatting Gary W. Smith
2005-07-13 16:40 ` dnatting Steven M Campbell
2005-07-12 23:19 dnatting Gary W. Smith
2005-07-13 10:39 ` dnatting Jan Engelhardt
2005-07-13 21:19 ` dnatting R. DuFresne
2005-07-13 14:50 ` dnatting Steven M Campbell
2005-07-13 16:33 ` dnatting Donald Murray
2005-07-13 16:39 ` dnatting Steven M Campbell
2005-07-12 14:05 dnatting Gary W. Smith
2005-07-11 15:18 dnatting Payal Rathod
2005-07-11 15:20 ` dnatting Jan Engelhardt
2005-07-11 18:21 ` dnatting Payal Rathod
2005-07-11 18:38 ` dnatting /dev/rob0
2005-07-11 18:42 ` dnatting Jan Engelhardt
2005-07-11 15:24 ` dnatting Scott
2005-07-11 18:45 ` dnatting Jason Opperisano
2005-07-11 18:54 ` dnatting Jan Engelhardt
2005-07-13 3:21 ` dnatting Donald Murray
2005-07-13 4:48 ` dnatting Jason Opperisano
2005-07-14 15:42 ` dnatting curby .
2005-07-14 15:49 ` dnatting curby .
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42D43010.3050406@SCampbell.net \
--to=netfilter@scampbell.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.