Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NAT for public IPs

From: Kevin <kkadow () gmail com>
Date: Fri, 28 Jan 2005 09:58:42 -0600
On Thu, 27 Jan 2005 11:23:17 -0600, Jose Hidalgo Herrera
<jose () hostarica com> wrote:

I'll like to know the advantages of having publicly available services
like http and ftp (that can have public IPs) behind NAT in a DMZ with
private IPs.

Example:

Common scenario:
internet -> firewalls -> [servers with public services using public ips]

NAT scenario:
internet -> firewalls -> NAT gateway -> [servers with public services
using private ips]


NAT adds flexibility.  For example, one public IP address might actually
be directed to a load-balanced pool of servers; the load-balancer does
the NAT and knows about all of the available private IPs.

Or you could redirect different services for that one public IP to different
servers, the IP address of "example.com" on port 80 might go to the
web server(s), while connections on port 25 would go to a mail server,
etc.

There are drawbacks -- some server software and some scripting
backends will try to rewrite URLs with what the app thinks is the 
"real" IP of the server, or will otherwise reveal the private addressing. 
Protocols like FTP and IPSEC add complexity to NAT.



Sorry if this is a dummy question.


Actually, a good question.

Kevin
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: