[ previous ] [ next ] [ threads ]
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DHCP With Public IP's
 Date:  Fri, 22 Apr 2005 20:26:18 -0400
Thanks, I see your point. I guess I never really thought about it like that.

- Don

On 4/22/05, Chris Buechler <cbuechler at gmail dot com> wrote:
> On 4/22/05, Don Munyak <don dot munyak at gmail dot com> wrote:
> > Not to question your wisdom, but rather better my understanding.
> >
> > I can see using public IP's for a DMZ, but why would you want public
> > IP's on the LAN at all.
> >
> My opinion would be, if you have 'em, why not?  NAT is a kludge,
> really.  There are many protocols that aren't NAT friendly, and while
> there are certain work arounds, it's easier to just use all public
> IP's if you can.  It also affords better accountability.  If you have,
> say 20 hosts on your LAN, and get a notice that IP w.x.y.z is
> attacking another machine, or you get sued by the RIAA/MPAA, with NAT
> it could be any of the LAN hosts, with public IP's on everything you
> know exactly what machine was at fault (not that you couldn't figure
> it out via other means, but regardless).
> In most circumstances having that many public IP's is too expensive to
> be cost justifiable.  (though I have worked at a place with a few
> thousand LAN hosts all with public IP's)  You could also argue that
> it's potentially less secure, since if you mess up your firewall
> rules, you could easily leave your LAN wide open.  In a default
> m0n0wall configuration with NAT from the LAN and no custom NAT
> configuration, adding an allow all from any to any rule on the WAN
> only opens up your webGUI to the entire world.  If you had public IP's
> on the LAN side, that same rule would open up your entire LAN to the
> world.
> -Chris