This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT vs Packet filtering

Hi all, I have a web server sit in the DMZ and IP 10.10.10.1, and real IP 1.2.3.2 in external NIC on firewall. Using DNAT to transfer port 80 request to DMZ web server.

If I am doing so, do I need to do anything in packet filtering in order to protect the machine? Since I found I cannot do anything else already such as FTP, etc.

As for the above setting, am I setting the right configuration? Should I use real IP for web server in DMZ or currently I am setting the right config? Pros and Cons?

Many thanks.

felix [:S]

This thread was automatically locked due to age.

0 Kenn over 23 years ago

For what it's worth-

I am doing exactly that- I have an external ip (EXT-NIC 20.20.20.1), and an internal web server (WS1 10.10.10.1) with a DNAT rule of

PreNAT Destination - EXT-NIC
PreNAT Service - HTTP
PostNAT Destination - WS1
PostNAT Servcie - HTTP

Super simple Packet filter rules as such:
any - http - WS1 allow
any - any - any deny

This allows packet filtering (after the dnat) to occur- blocks everything but normal web traffic. I'm not sure you can set it any other way. I had originally tried setting the packet filter rule to

any - http - EXT-NIC

but that wouldn't put the traffic where I wanted it.

Another method might be to use masquerading, but then you'd lose the source address of the requestor- doesn't seem to be an optimal solution.

as a side note- in this respect, Astaro out performs Checkpoint in that with Checkpoint, it's difficult (if not impossible) to use a single address and have differnt ports for that single address be routed to different servers in the DMZ.

Good job Astaro!
This
Cancel
Vote Up 0 Vote Down

Cancel