[Discuss] web server can't see out but others can see in

[invalid at pizzashack.org (Derek Martin)]

On Wed, Sep 26, 2012 at 11:23:37AM +0000, Edward Ned Harvey (blu) wrote:
> > From: Edward Ned Harvey (blu)
> > Second, don't enable one-to-one NAT.
> 
> 1-to-1 NAT means every packet destined for some external IP address
> will be NAT'd to some internal IP address.
> 
> This is how you effectively put an internal machine outside the
> firewall.  The only difference between 1-to-1 NAT, and *actually*
> putting the machine outside the firewall is that the traffic still
> goes through the firewall.  Which means you're able to apply
> firewall rules, and packet inspection, etc.

That's a pretty big difference.  Enabling 1:1 NAT and applying
firewall rules at the gateway is nearly equivalent to putting the box
on the net directly and enabling a host-based firewall.  Unless you
also need to protect the machine from other hosts that are inside the
firewall, there's really no practical difference.  And if you avoid
running services you don't need, and set up your firewall correctly
(and it actually works), there's not much difference between that and
keeping it behind the firewall.  You can't attack a service that isn't
there, or can't hear you.

> 1-to-1 NAT exposes you to more risk than necessary, if all you want
> to do is serve port 80.

Agreed... though if the web server is the only service that's
listening to external connections, or all the other listening services
are blocked off by a firewall, again there's not much difference in
risk, with the latter being a little weaker than the former (as your
firewall may be buggy/broken).

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.