[Discuss] web server can't see out but others can see in

Edward Ned Harvey (blu) blu at nedharvey.com
Wed Sep 26 07:23:37 EDT 2012


> From: Edward Ned Harvey (blu)
> Second, don't enable one-to-one NAT.

1-to-1 NAT means every packet destined for some external IP address will be NAT'd to some internal IP address.

This is how you effectively put an internal machine outside the firewall.  The only difference between 1-to-1 NAT, and *actually* putting the machine outside the firewall is that the traffic still goes through the firewall.  Which means you're able to apply firewall rules, and packet inspection, etc.

1-to-1 NAT exposes you to more risk than necessary, if all you want to do is serve port 80.




More information about the Discuss mailing list