[BlueOnyx:04833] Re: Firewall for Datacenter

[Christoph Schneeberger]

Thanks for your reply Michael, allow me to address some points inline.

Michael Stauber wrote:
> NAT has some interesting benefits both in regards to handling and security. 
> Basically you bind all public IPs to the firewall and then simply "route" a 
> specific public IP's port(s) to a specific private (internal) IP. 
>
> Security wise this can be a plus: Ports which you have not routed are 
> effectively closed and therefore inaccessible. 
>   
I have to counter that, actually if you desire that setup, its as easy
as blocking all traffic in the incoming interface of your bridge and
allowing what you want. Probably a good start for a proper firewall
setup anyway.
> Or say there is a server that you need to take down for maintenance. Just 
> route the specific ports to a standby box until you're done. No need to change 
> the DNS or IP addresses on the boxes you're working on.
>   
That is a perfectly valid point and it  has been useful to me in the
past too. However DNS with a low TTL can do a good job (while not such a
perfect one as NAT) too here.

> The other "interesting" problem that Gerald already mentioned: If you run 
> mailservers on a NAT'ed network and NAT'ed server A tries to email to NAT'ed 
> server B, then it tries to send to the public IP address of B. That email then 
> may never make it through, as A should have used B's private internal IP 
> address for the connection. Or you need a firewall that supports "red" traffic 
> on the "green" interface and routes it as well.
> If yours doesn't, then you need an internal DNS servers with all the records, 
> but that responds with the internal (NAT'ed) IPs instead of the public ones. 
> Which is probably is hardly doable in a scenario such as the one that Gerald 
> is looking at.
>   
I believe you would need a perfect copy for forward and reverse entries
internally on the natted network anyway sooner or later or the sort of
problems you never thought about beofre will pop up over time ;)
> So yeah: NAT is a mixed bag. In a corporate environment or when you do managed 
> hosting, then it can be a very viable and interesting solution. But it throws 
> in another level of complexity that may not be worth the hassles in other 
> scenarios.
>   
I agree, and I would like to add that its probably best suited for shops
with either a) not enough public address space or b) a small number of
public addresses, i.e. a /27 or /28, else I think it adds just an
unnecessary layer of complexity - or if you are just
Also performance can get an issue depending on which amount of traffic
and especially connections we talk as every outgoing connection packet
needs to get translated too (without benefit). And then there is the
need of application level proxies for the "special" sort of protocols
like FTP and the like. I could mention IPv6, but I won't as it is
"coming very soon" for so long now...

I still would say it is bad advice/proposal to Gerald renumbering his
network, just because the product in question doesn't support that
setup. Given the situation/requirement that he looks at, basically to
drop in a bridge into existing network configuration, NAT adds no
security to the setup at all but a lot of complexity. Still your point
of fast switching over counts, the DNS alternative is quite poor.
> As for serious firewall recommendations ... I saw the name "Smoothwall" pop up 
> and almost spilled my coffee. 
>   
I am sorry to hear that, but I would be more than happy to offer another
coffee ;)

Cheers,
Christoph