[167380] in North American Network Operators' Group
Re: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?
daemon@ATHENA.MIT.EDU (Alex White-Robinson)
Tue Dec 10 16:14:17 2013
From: Alex White-Robinson <alexwr@gmail.com>
Date: Wed, 11 Dec 2013 10:13:12 +1300
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Wotcha,
>Number 1 gets you thinking along the IPv6 route (no pun, and imho :) )
>since you have to treat each boxes as if it was public.
I see this kind of statement surprisingly often. Having a public address
doesn't make a device public.
I don't really see a drive to have devices exposed to the internet without
a stateful device in front of them in IPv6 world. People shouldn't allow
unsolicited connections to hit your internal workstation on any address
scheme.
Cheers,
Alex.
Date: Tue, 10 Dec 2013 05:56:41 +1300
From: Pieter De Wit <pieter@insync.za.net>
To: nznog@list.waikato.ac.nz
Subject: Re: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?
Message-ID: <52A5F649.7070904@insync.za.net>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Hi,
I normally use a combination of "1" and "2". I prefer 1 for weird and
"not nat friendly" protocols, like SIP or some other application. The
general rule of thumb is to use number 2 in other cases. In both setups,
remember to deploy local firewalls as well. This will help for the case
when a box on the subnet is hacked.
My other twist is to deploy "1" without the private NIC, along with
local firewalls (and as you said, dedicated FW).
Number 1 gets you thinking along the IPv6 route (no pun, and imho :) )
since you have to treat each boxes as if it was public.
Cheers,
Pieter
