Benedict simon wrote: >actually i have a cureent setup running for sometimes n workin good >my internal network of servers ( like mail, web , dns ) are under >shorewall with public IPs > >but there was jus a debate as to run the public servers currently on pulic >ip to have private IPs n NAT them ... as enhancing the security ....
NAT seems to fascinate some people, strange how "broken" should come to be regarded as "good" ;-) NAT won't protect you from a compromised machine being used for outbound attacks on others - a good firewall will. NAT won't stop anything inbound that couldn't be stopped by a good firewall. The only difference is that should the firewall fail (such as Shorewall fail to load) then NAT does provide the equivalent of a "drop all" policy. If you have it working, then don't change it. IMO, NAT breaks far more than the minor security benefits are worth. Come IPv6 we'll be using public IPs again, then we can have the same argument all over again :-) ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
