Considering 1:1 NAT security with Virtuals IPs
Quiet new with pfsense, I watched this video : https://www.youtube.com/watch?v=zrBr0N0WrTY detailing 1:1 NAT + Virtual IP's.
The video explains HowTo use several public IP's and 1:1 NAT + firewall rules associated.
As 1:1 NAT exposes the target server, is the associated firewall rule that will allow only a certain traffic (HTTP as an example) should be completed by a second rule that will block everything, expect HTTP as described ?
In real terms, is there a risk with a such configuration or not ? Is 1:1 NAT + firewall rule to be considered safe ?
Sorry if this question might be consider as a dummy one, but I will appreciate your nice replies ;-)
pfsense Definitive Guide says :
Just keep this fact in mind when configuring your firewall rules, and as always, avoid permitting anything that is not required.
Do you add personally a firewall rule WAN to LAN that will Block everything as default ? And then adding rules to allow some traffic when 1:1 NAT is used ?
Without firewall rules, a 1:1 NAT rule only redirects and does not expose the protected resource. I know it says in the book (probably near the front) that everything is blocked unless expressly allowed by a rule. This does not apply to float rules though.
Port forward rules by themselves won't expose a protected resource. The default now is to create a rules automatically when you create the port forward rule.
I use 1:1 rules all the time without any problems.