On 4/22/05, Don Munyak <don dot munyak at gmail dot com> wrote:
> Not to question your wisdom, but rather better my understanding.
> I can see using public IP's for a DMZ, but why would you want public
> IP's on the LAN at all.
My opinion would be, if you have 'em, why not? NAT is a kludge,
really. There are many protocols that aren't NAT friendly, and while
there are certain work arounds, it's easier to just use all public
IP's if you can. It also affords better accountability. If you have,
say 20 hosts on your LAN, and get a notice that IP w.x.y.z is
attacking another machine, or you get sued by the RIAA/MPAA, with NAT
it could be any of the LAN hosts, with public IP's on everything you
know exactly what machine was at fault (not that you couldn't figure
it out via other means, but regardless).
In most circumstances having that many public IP's is too expensive to
be cost justifiable. (though I have worked at a place with a few
thousand LAN hosts all with public IP's) You could also argue that
it's potentially less secure, since if you mess up your firewall
rules, you could easily leave your LAN wide open. In a default
m0n0wall configuration with NAT from the LAN and no custom NAT
configuration, adding an allow all from any to any rule on the WAN
only opens up your webGUI to the entire world. If you had public IP's
on the LAN side, that same rule would open up your entire LAN to the