Robert Moskowitz rgm@htt-consult.com wrote:
I suspect not. When I installed this system I turned off the Linux firewall feature.
I think if you allow everything in by default, you're okay. My comments on the "state" setting was if you were dropping packets by default.
First of, let me introduce myself. Go take a look at RFC 1918 and look for the name 'Moskowitz'. Also RFCs 2401 - 2412. Yeah, I am the one that set up the 'environment' to make NATs a fact of life.
Okay, I know where you're coming from.
BTW, I like to refer to it as DNAT, SNAT -- collectively as NAT+PAT -- as to differentiate from 1:1 NAT (no PAT). But that's just me being anal.
Well axtually ROAD imploded and we were left with no real alternative... No I have public addresses. So one interface is in 65.84.78/24 and the other is set up as 192.168.192.0/28 But I will be putting a NAT behind it!
Hmmm, in a corporate environment, I still try to avoid NAT+PAT, and setup my routers to route between networks. But since the address schemes aren't contiguous, one NAT+PAT between a public and private is not bad.
Now 1:1 NAT, I have no problem with on a corporate network. That's completely different, and should be considered a better option if possible. But I leave it to you.
You see, I want to replicate one of my production networks, maintaining the IP address scheme, and still allow the
servers
to get updates through the double NATing.
Then consider 1:1 NAT instead -- then you have a 1:1 relationship of servers, you can route directly, etc...
I quite know what I am doing on Network Architecture. But I am an architect/researcher, and have not spent the time learning my Unix stuff. In fact I have forgetten most of
what
I knew back in '93 when I was supporting SUN/386 stuff.
Again, I can appreciate where you are coming from.
One of my 6 month consulting gigs was working on the 2nd largest private network in the US. I could tell rather quickly when people were either using "default routes" or putting in "NAT+PAT" devices on our network.
[ I'm sure some of my critics will now use that last paragraph against me yet again -- even though, yet again, I wasn't the person who stated any credentials first. ]