Firewall Configuration Question... Is this possible?
dufresne at sysinfo.com
Mon Aug 1 19:13:25 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
On Sun, 31 Jul 2005, /dev/rob0 wrote:
> Timothy Patterson wrote:
>> I currently have NAT set using masquerading to allow internet access
>> from all of our internal computers on the network. My problem is that I
>> am also trying to run Apache on the box that is doing the NAT
>> translation rules. Is it possible to run a web server on the same box
>> that is performing the translations?
> Of course.
>> If so, could someone give me a quick example on how to accomplish
> Restrict SNAT by interface. Only do it for clients on the LAN.
>> this? I've tried googling for this, but I have not found any pertinent
> The NAT HOWTO?
doable, but not adised, a firewall should be single purpose, most servers
should be single purpose where possible. But then this is not often the
case. But a firewall certainly should be a single purpose system much
like a router is, they do similair work anyways.
putting a web servers on the firewall makes the firewall and the whole
internal network subject to any issues that the web services now face,
plus you now have to allow naother set of ports/protocols directly to the
system and not merely passingby or through it. A web server would
preferably run on a system in the dmz, andf not heavily traffices can run
well on an old cheap pc.
To state this in anohter way; just because something is possible does not
mean it should be done, or the prefered way of doing things.
admin & senior security consultant: sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the netfilter