Re: NAT and NAT

> Replace your second NAT with a stateful firewall (just the pf ruleset,
> as this is about OpenBSD) and you have a classical DMZ with two
> firewalls. You don't get the internal LAN address hiding from the DMZ
> that NAT provide, but you have a simpler solution without the complexity
> of the second NAT.

I have considered going to the stateful firewall, but things have been working just fine for so long that I've gotten lazy about that part of the network. It has reached the point of "infrastructure" and doesn't get messed with often. I do tweak my altq rules on occasion, mostly when someone has me setup a new server in the DMZ.

> Remember that NAT is *evil*, a bad solution to the IPv4 address

My needs are simple so far. It hasn't stomped me, other than to kill active ftp. I agree, and wish that IPv6 would get on with it.

> I've meet several otherwise technical savy people that forgot it's
> possible to route between two private nets (also called as
> non-routable), hence my question.

Yeah, I know it is possible, but routing isn't high on my list to figure out until it becomes more important for whatever reason.

> I personally prefer the two FW DMZ solution if the extra resources are

Cool, I'm glad we agree.
(I ended up with 16 Digital 486 pizzabox machines. 10 of them were able to run OpenBSD just fine. With some scrounging I got wayyyy too many ISA NICs (3c509's and EEPro16's) I've built a stack of firewall machines and other beater boxen out of them. )

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

  --Aaron Received on Tue Dec 17 19:34:44 2002