Is this safe?



  • Hi Everyone,

    My ISP can give me a block of public IP address. Is it safe for me to create a "routed subnet" by giving hosts on my DMZ interface public IPs, and using pfSense just to firewall these hosts?

    I don't want to do Natting for my DMZ subnet

    Many Thanks

    Jonathan



  • How do you get this public IPs?
    Do you just have this public block and the ISP routes traffic to this block to another public IP which you have on the WAN?
    Or is a gateway to this public block on the ISPs side?



  • The systems don't have to be any less protected if they each have their own IP than if you are using NAT.  Either way you can still block all inbound connections.  The only difference is that systems on the internet will see a different IP address for each system that accesses them and instead of forwarding ports you only need to make allow rules on the firewall.



  • @GruensFroeschli:

    How do you get this public IPs?
    Do you just have this public block and the ISP routes traffic to this block to another public IP which you have on the WAN?
    Or is a gateway to this public block on the ISPs side?

    I'm not sure. This pfSense install will go in a co-location datacentre. How do co-los usually give you IPs?

    I'd like to give each host on the DMZ side of pfsense public IPs, however I'd still like pfsense to firewall the ports and protocols

    Efonne: Yep, I guessed as such. I'm just wondering if pfSense's implementation of not using NAT (i.e. not forwarding ports) is safe and secure. The machines on the DMZ side of pfSense will be hosting applications for customers containing sensitive information, so naturally I want to do what's right.

    Thanks



  • Could some also please explain to me if I'm going about the right way for this:

    I would assign the 1st publically available IP to my WAN interface, then assign the 2nd publically available IPs to the DMZ interface, the assign the remaining IPs to the hosts in the DMZ. I then use the pfsense firewall rules to say what ports are allowed from the WAN to the DMZ.

    Is that correct? Am I using "bridging"??

    Also, in the following document, what does the author mean by "Please also keep in mind that the option WAN address as source or destination will not be the first choice when running pfSense in transparent mode":
    http://pfsense.trendchiller.com/transparent_firewall.pdf

    Thanks


Log in to reply