[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?

Subject: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?
From: alexwr at gmail.com (Alex White-Robinson)
Date: Wed, 11 Dec 2013 10:13:12 +1300

Wotcha,

>Number 1 gets you thinking along the IPv6 route (no pun, and imho :) )
>since you have to treat each boxes as if it was public.

I see this kind of statement surprisingly often. Having a public address
doesn't make a device public.
I don't really see a drive to have devices exposed to the internet without
a stateful device in front of them in IPv6 world. People shouldn't allow
unsolicited connections to hit your internal workstation on any address
scheme.

Cheers,
Alex.


Date: Tue, 10 Dec 2013 05:56:41 +1300
From: Pieter De Wit <pieter at insync.za.net>
To: nznog at list.waikato.ac.nz
Subject: Re: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?
Message-ID: <52A5F649.7070904 at insync.za.net>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"

Hi,

I normally use a combination of "1" and "2". I prefer 1 for weird and
"not nat friendly" protocols, like SIP or some other application. The
general rule of thumb is to use number 2 in other cases. In both setups,
remember to deploy local firewalls as well. This will help for the case
when a box on the subnet is hacked.

My other twist is to deploy "1" without the private NIC, along with
local firewalls (and as you said, dedicated FW).

Number 1 gets you thinking along the IPv6 route (no pun, and imho :) )
since you have to treat each boxes as if it was public.

Cheers,

Pieter

Follow-Ups:
- [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?
  - From: geraint at koding.com (Geraint Jones)

Prev by Date: BRAS
Next by Date: What routers do folks use these days?
Previous by thread: BRAS
Next by thread: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?
Index(es):
- Date
- Thread