DMZ Setup Question
/dev/rob0
rob0 at gmx.co.uk
Wed Nov 30 20:51:11 CET 2005
On Wednesday 2005-November-30 12:32, Derick Anderson wrote:
> My inclination would be to use NAT (MASQUERADE) for your internal
> hosts just because it makes things simpler (not necessarily more
> secure) and your DMZ doesn't need routes to your internal network.
> Some may say then that simpler is more secure and I agree, but I
> still say that NAT is a routing tool and not a security tool.
The only potential security issue is one that SHOULD have already been
addressed by disabling packet forwarding on the DMZ machines, and that
is that an upstream attacker might route packets to your LAN machines
using [a] DMZ machine[s] as gateway.
Otherwise I agree with you and Derick. I prefer routing when it's a
possibility.
Even without the LAN routes the DMZ machines should not allow packet
forwarding.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the netfilter
mailing list