RE: Security: port-fw vs. ip-aliasing

To: <debian-firewall@lists.debian.org>
Cc: "Eric N. Valor" <eric.valor@lutris.com>
Subject: RE: Security: port-fw vs. ip-aliasing
From: "T. Schlenkhoff" <schlenkhoff@millimeta.com>
Date: Wed, 23 May 2001 08:16:22 +0200
Message-id: <[🔎] GHENKBJKADLKKAGGLHIJGELFCEAA.schlenkhoff@millimeta.com>
In-reply-to: <[🔎] 4.3.2.7.2.20010522120859.02fdef98@10.10.40.54>

It seems that Stan Kaufmann thought about the same problem here.
To make it clear, I really appreciate a DMZ :-) but I wonder how to get the
packets in there. At least as far as I understood the topic I have two
choices: port-forwarding (if my mail.x.com domain and my www.x.com domain
are on one ip-adress) or ip-aliasing (if my mail.x.com domain and my
www.x.com domain are on different ip-adresses).

Pros & Cons:
Port-forwarding:	+simple firewall-ruleset (thanks Cory)
			-one can?t access own DMZ- webservices
			 easily (spoofing - see Corys mail on that)
			-only one service per port
ip-aliasing		-complex firewall-ruleset
			+can access own DMZ-webservices? (request for
			 confirmation here)
			+using all the payed ip-adresses :-)

Did I miss some important points?

Looks like forwarding is the best option - if you only need one service on
every port.


Thanks for all your feedback,

tom

Reply to:

Follow-Ups:
- Re: Security: port-fw vs. ip-aliasing
  - From: Lee Bradshaw <lee@sectionIV.com>

References:
- Re: Security: port-fw vs. ip-aliasing
  - From: "Eric N. Valor" <eric.valor@lutris.com>

Prev by Date: (no subject)
Next by Date: Re: Security: port-fw vs. ip-aliasing
Previous by thread: Re: Security: port-fw vs. ip-aliasing
Next by thread: Re: Security: port-fw vs. ip-aliasing
Index(es):
- Date
- Thread