Considering 1:1 NAT security with Virtuals IPs



  • Hi All,

    Quiet new with pfsense, I watched this video : https://www.youtube.com/watch?v=zrBr0N0WrTY detailing 1:1 NAT + Virtual IP's.

    The video explains HowTo use several public IP's and 1:1 NAT + firewall rules associated.

    As 1:1 NAT exposes the target server, is the associated firewall rule that will allow only a certain traffic (HTTP as an example) should be completed by a second rule that will block everything, expect HTTP as described ?

    In real terms, is there a risk with a such configuration or not ? Is 1:1 NAT + firewall rule to be considered safe ?

    Sorry if this question might be consider as a dummy one, but I will appreciate your nice replies ;-)

    Regards

    PS
    pfsense Definitive Guide says :

    Just keep this fact in mind when configuring your firewall rules, and as always, avoid permitting anything that is not required.

    Do you add personally a firewall rule WAN to LAN that will Block everything as default ? And then adding rules to allow some traffic when 1:1 NAT is used ?



  • Without firewall rules, a 1:1 NAT rule only redirects and does not expose the protected resource. I know it says in the book (probably near the front) that everything is blocked unless expressly allowed by a rule. This does not apply to float rules though.
    Port forward rules by themselves won't expose a protected resource. The default now is to create a rules automatically when you create the port forward rule.
    I use 1:1 rules all the time without any problems.


Log in to reply