[BlueOnyx:04830] Re: Firewall for Datacenter

[Michael Stauber]

Hi Christoph,

> IMHO, NAT gives no benefit at all but creates some interesting new
> problems. But thats really just my 2 centimes, maybe you can elaborate on
> what benefits NAT would bring to Geralds situation ?

NAT has some interesting benefits both in regards to handling and security. 
Basically you bind all public IPs to the firewall and then simply "route" a 
specific public IP's port(s) to a specific private (internal) IP. 

Security wise this can be a plus: Ports which you have not routed are 
effectively closed and therefore inaccessible. 

Or say there is a server that you need to take down for maintenance. Just 
route the specific ports to a standby box until you're done. No need to change 
the DNS or IP addresses on the boxes you're working on.

But NAT adds quite a bit of management overhead. You need to carefully keep 
tabs on what you route where, especially if a team of network operators 
manages the network. It gets even more complicated if you throw in paying 
customers for which you need to manage the port forwarding. Simply forwarding 
all ports from the public IP to the private IP then negates some of the added 
security benefits that NAT offers, but if you don't, then you'll have a much 
higher support overhead with paying customers ("Hey, I installed Webmin, but 
nothing comes up at port 10000 when I try to connect to it!").

The other "interesting" problem that Gerald already mentioned: If you run 
mailservers on a NAT'ed network and NAT'ed server A tries to email to NAT'ed 
server B, then it tries to send to the public IP address of B. That email then 
may never make it through, as A should have used B's private internal IP 
address for the connection. Or you need a firewall that supports "red" traffic 
on the "green" interface and routes it as well.

If yours doesn't, then you need an internal DNS servers with all the records, 
but that responds with the internal (NAT'ed) IPs instead of the public ones. 
Which is probably is hardly doable in a scenario such as the one that Gerald 
is looking at.

So yeah: NAT is a mixed bag. In a corporate environment or when you do managed 
hosting, then it can be a very viable and interesting solution. But it throws 
in another level of complexity that may not be worth the hassles in other 
scenarios.

As for serious firewall recommendations ... I saw the name "Smoothwall" pop up 
and almost spilled my coffee. 

I've been using Smoothwall Corporate Firewall (with a few of their plugins) 
for a couple of years and my verdict on it wouldn't really be suitable for a 
public mailing list. Sorry, but on that I couldn't make do without letting 
slip a profanity at the begining or end of every second sentence.

So my recommendation there would be to look at something else instead. :o)

-- 
With best regards

Michael Stauber