Firewall Configuration Question... Is this possible?

R. DuFresne dufresne at sysinfo.com
Mon Aug 1 19:13:25 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 31 Jul 2005, /dev/rob0 wrote:

> Timothy Patterson wrote:
>> I currently have NAT set using masquerading to allow internet access
>> from all of our internal computers on the network.  My problem is that I 
>> am also trying to run Apache on the box that is doing the NAT
>> translation rules.  Is it possible to run a web server on the same box 
>> that is performing the translations?
>
> Of course.
>
>> If so, could someone give me a quick example on how to accomplish
>
> Restrict SNAT by interface. Only do it for clients on the LAN.
>
>> this?  I've tried googling for this, but I have not found any pertinent 
>> results.
>
> The NAT HOWTO?
>

doable, but not adised, a firewall should be single purpose, most servers 
should be single purpose where possible.  But then this is not often the 
case.  But a firewall certainly should be a single purpose system much 
like a router is, they do similair work anyways.

putting a web servers on the firewall makes the firewall and the whole 
internal network subject to any issues that the web services now face, 
plus you now have to allow naother set of ports/protocols directly to the 
system and not merely passingby or through it.  A web server would 
preferably run on a system in the dmz, andf not heavily traffices can run 
well on an old cheap pc.

To state this in anohter way;  just because something is possible does not 
mean it should be done, or the prefered way of doing things.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC7lg4st+vzJSwZikRAsk4AJ44/FggWHAp2k4mUCTZMo65fJUlYQCgt7by
0ogLObSUx2jCPWSydRUVZ3A=
=6ovs
-----END PGP SIGNATURE-----



More information about the netfilter mailing list