openbsd-misc
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Firewall NAT

from [Kit Halsted] [Permanent Link][Original]
To: <misc@openbsd.org>
Subject: Re: Firewall NAT
From: Kit Halsted <kit@kithalsted.com>
Date: Wed, 28 Feb 2001 14:30:31 -0500
In-reply-to: <Pine.BSO.4.33.0102271510360.17189-100000@hamon.hagakure.org>
References: <Pine.BSO.4.33.0102271510360.17189-100000@hamon.hagakure.org>
Sender: owner-misc@openbsd.org 
At 3:21 PM -0800 2/27/01, Dave Taira wrote:

On Tue, 27 Feb 2001, Kit Halsted wrote:


 I'm installing a firewall at my main client's site, but one of the
 other consultants is doing most of the work on it. I want to NAT it
 in such a way that each external address corresponds to an internal
 address. He wants to NAT it in such a way that only a few specific
 hosts are mapped like that, & the other 60 machines are all NATted
 off of a single IP.


You should each answer the question "why?". That is, why do you want
it one way, and why does he want it the other way. What are the
benefits, what are the costs? Then, you should both try to determine
"what is best for the client?".
Gotcha. I think we both understand each other's points of view, but would agree to disagree if it wasn't a situation where a decision is required. I think streaming media & other such things that break under Many:1 NAT will end up being the deciding factor. 


Perhaps by presenting both options
to the client, and asking if they have a preference.
I think the client's preference is to sit back & watch us argue with a big grin on his face. 


 >From your brief description, you've got 60-something machines on a
LAN, and I'm guessing a /24 to /26 from your ISP?


Yep. We've got about 65 machines, not counting virtual servers, on a class C.


Off the top of my
head, mapping each internal address to a specific external address
is nice for accountability, but only scales so far (IP allocation
being the limiting factor), and is more work to maintain.
I'm not sure I understand how it's more work, unless I'm misunderstanding the IPNAT FAQ. I should be able to tell IPNAT to map my public space to my private space in one line, no? 


+------------------------------------------------------------------------+
| Dave Taira <bodhi@hagakure.org>                2001.02.27/15:21:05 PST |
| Morlock for Hire                                                       |
+------------------------------------------------------------------------+
| Madness takes its toll.  Please have exact change.                     |
+------------------------------------------------------------------------+


Right, here you go: 2 chickens & a banana peel.

Thanks,
-Kit
--


Kit Halsted
Network Administrator, Blue Dingo/GB
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: the keep state rule, Claus
Next by Date:  RE: the keep state rule, Josh Hoblitt
Previous by Thread:  Re: Firewall NAT, Dave Taira
Next by Thread:  Re: Firewall NAT, Dave Taira
Indexes:  [Date] [Thread] [Top] [All Lists]