DMZ Setup Question

/dev/rob0 rob0 at gmx.co.uk
Wed Nov 30 20:51:11 CET 2005


On Wednesday 2005-November-30 12:32, Derick Anderson wrote:
> My inclination would be to use NAT (MASQUERADE) for your internal
> hosts just because it makes things simpler (not necessarily more
> secure) and your DMZ doesn't need routes to your internal network.
> Some may say then that simpler is more secure and I agree, but I
> still say that NAT is a routing tool and not a security tool.

The only potential security issue is one that SHOULD have already been 
addressed by disabling packet forwarding on the DMZ machines, and that 
is that an upstream attacker might route packets to your LAN machines 
using [a] DMZ machine[s] as gateway.

Otherwise I agree with you and Derick. I prefer routing when it's a 
possibility.

Even without the LAN routes the DMZ machines should not allow packet 
forwarding.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header



More information about the netfilter mailing list