Wildcards in reverse DNS
Marc Haber
mh+bind-users at zugschlus.de
Sat Jan 6 09:25:49 UTC 2007
On Sat, Jan 06, 2007 at 12:26:24PM +1100, Mark Andrews wrote:
> I really don't see why people insist that they need port /
> address translation. A statefull firewall is just as good
> at providing protection and doesn't have the down sides
> introduced as a side effect of the port / address translation.
I have to agree with the conservative people here that NAT is an added
layer of protection against configuration errors. I have once seen a
case where an accidental "allow all" was inserted into a stateful
packet filter, which caused a server with an official IP address that
was supposed to be "protected" by that packet filter to be r00ted in
no time. Had this server behind a NAT gateway with only tcp/80 DNATted
to the site local IP address of the server, this configuration error
wouldn't have been remotely as bad.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the bind-users
mailing list