Public IPs for machines behind pfsense
-
"It's still bad practice to give a host a public IP."
Not if its a public server, say Web Server ;) Email Server, FTP Server, etc. etc. etc..
If the host is connected to the public net to provide something to the public net then yes it would need a public IP.
So your suggesting that every server should be behind a NAT?
For additional protection I'd say so. Otherwise you are putting all your faith in software firewall solutions.
-
"Otherwise you are putting all your faith in software firewall solutions."
Again more FUD!! Just because a host has a public IP, does not mean its not behind a firewall that is not doing NAT.
-
"Otherwise you are putting all your faith in software firewall solutions."
Again more FUD!! Just because a host has a public IP, does not mean its not behind a firewall that is not doing NAT.
How about stop being a dick, and explain then? I'm here to learn as much as everyone else.
I have always been told to use NAT and put servers on a separate LAN. Without putting special configurations, I didn't know you could firewall effectively if you have a DMZ'ed host with a public IP.
-
Not trying to be a "dick" I assure you - its just that your statements are FUD.. If you are not sure then you should word them as questions and not what "seems" to be a FACT in your mind?
example.
–--So your suggesting that every server should be behind a NAT?
For additional protection I'd say so. Otherwise aren't you just putting all your faith in software firewall solutions on the host?.
–--Not sure what firewalls you have worked with in the past, but I assure you you do not have to be behind a nat to process rules that either allow or deny access. Not sure where you would of gotten that idea other than maybe home type routers, and normally those routers don't even really create a real DMZ, more of what they call a DMZ Host - which is just the forwarding of ports that are not otherwise forwarded already.
More than happy to help you with any questions you have.. Who told you this "I have always been told to use NAT and put servers on a separate LAN".. This is just FUD plain and simple.
I think its already been brought up - if this is your understanding, what do think will happen with IPv6? Do you think NAT will still be used?
Don't get me wrong, not saying that NAT is not a useful tool - that sure can be used in protecting your hosts, or for sharing a IP, etc. etc. Lots of use for it. But there are protocols that just do not work, or do not work well when behind a NAT. And created extra overhead when its just not needed, there are places and uses for nat and or napt sure. But it is not the end all get all of protecting your servers.
-
I agree … a bridging firewall (or transparent firewall) is just as effective IMO. Plus, you get to hide your firewall so there is no gateway for attackers to attack. Not saying that won't stop attackers from trying or succeeding .. just makes it a little more difficult. But to just say that NAT is the only right way is a bit out there especially if you are unsure.
-
Does not have to be a bridging or transparent firewall either. But that is an option as well without NAT.
-
The lack of NAT is one of the things that I love about ipv6. Or rather, no longer needing to NAT anything. With ipv6, every global address on you lan is also your public ip. Using public ip's through a firewall without NAT works pretty much the same way on ipv4.
-
would you mind to tell me how to make that transparent bridge? use "bridge" under "interface" and select the WAN and LAN? what IPs to put on them? Both public?
-
would you mind to tell me how to set up the bridge? just choose "Bridge" and select WAN and LAN? what kind of IPs to give to them? Both Public? Thank you very much
-
Have you read this thread?
http://forum.pfsense.org/index.php/topic,36562.0.html
Clean Install with pfsense 2.0 using transparent firewall