Thanks, I see your point. I guess I never really thought about it like that.
On 4/22/05, Chris Buechler <cbuechler at gmail dot com> wrote:
> On 4/22/05, Don Munyak <don dot munyak at gmail dot com> wrote:
> > Not to question your wisdom, but rather better my understanding.
> > I can see using public IP's for a DMZ, but why would you want public
> > IP's on the LAN at all.
> My opinion would be, if you have 'em, why not? NAT is a kludge,
> really. There are many protocols that aren't NAT friendly, and while
> there are certain work arounds, it's easier to just use all public
> IP's if you can. It also affords better accountability. If you have,
> say 20 hosts on your LAN, and get a notice that IP w.x.y.z is
> attacking another machine, or you get sued by the RIAA/MPAA, with NAT
> it could be any of the LAN hosts, with public IP's on everything you
> know exactly what machine was at fault (not that you couldn't figure
> it out via other means, but regardless).
> In most circumstances having that many public IP's is too expensive to
> be cost justifiable. (though I have worked at a place with a few
> thousand LAN hosts all with public IP's) You could also argue that
> it's potentially less secure, since if you mess up your firewall
> rules, you could easily leave your LAN wide open. In a default
> m0n0wall configuration with NAT from the LAN and no custom NAT
> configuration, adding an allow all from any to any rule on the WAN
> only opens up your webGUI to the entire world. If you had public IP's
> on the LAN side, that same rule would open up your entire LAN to the