On Fri, 18 Mar 2005 01:02:31 -0500, Claude Morin <klodefactor at gmail dot com> wrote:
> Thanks for the pointer to setting up a filtered bridge.
> Stupid question: given the drawback of not having access from the LAN
> interface, what advantage(s) does this setup have over 1:1 NAT?
> That's what I set up for our own colo, and it's working beautifully.
If you don't have a LAN, as with any colo setup (unless you hang out
in the colo I guess), it doesn't matter. With a bridge setup, you can
put public IP's directly on the systems without having your own public
IP subnet on a m0n0wall interface. Some people prefer putting public
IP's directly on the systems rather than using NAT. It's a matter of
personal preference really, either will work fine.
You could argue using 1:1 NAT is more secure (or less risky I suppose)
because if you accidently plugged in the switch behind the bridge
outside the firewall, there wouldn't be any firewall protection and
things would continue to work properly so you might not notice. With
private IP's on the servers, everything would stop working if plugged
into the wrong place.