|
||||||||||
Thanks, I see your point. I guess I never really thought about it like that. - Don On 4/22/05, Chris Buechler <cbuechler at gmail dot com> wrote: > On 4/22/05, Don Munyak <don dot munyak at gmail dot com> wrote: > > Not to question your wisdom, but rather better my understanding. > > > > I can see using public IP's for a DMZ, but why would you want public > > IP's on the LAN at all. > > > > My opinion would be, if you have 'em, why not? NAT is a kludge, > really. There are many protocols that aren't NAT friendly, and while > there are certain work arounds, it's easier to just use all public > IP's if you can. It also affords better accountability. If you have, > say 20 hosts on your LAN, and get a notice that IP w.x.y.z is > attacking another machine, or you get sued by the RIAA/MPAA, with NAT > it could be any of the LAN hosts, with public IP's on everything you > know exactly what machine was at fault (not that you couldn't figure > it out via other means, but regardless). > > In most circumstances having that many public IP's is too expensive to > be cost justifiable. (though I have worked at a place with a few > thousand LAN hosts all with public IP's) You could also argue that > it's potentially less secure, since if you mess up your firewall > rules, you could easily leave your LAN wide open. In a default > m0n0wall configuration with NAT from the LAN and no custom NAT > configuration, adding an allow all from any to any rule on the WAN > only opens up your webGUI to the entire world. If you had public IP's > on the LAN side, that same rule would open up your entire LAN to the > world. > > -Chris > |