Dear All, i have recently used shorewall and have a query i have my mail and dns server right now using public IP i want to hide these IP from the external world now in terms of perfomance , reliability, speed, security which one would be better to implement proxyARP or one to one NAT apprecite your help regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Benedict simon wrote:> Dear All, > > i have recently used shorewall and have a query > i have my mail and dns server right now using public IP > > i want to hide these IP from the external world > > now in terms of perfomance , reliability, speed, security which one would > be better to implement > > proxyARP or one to one NAT > > apprecite your helpIs there any special reason why you want to hide your public IP? There are a few tricks people can use to find it out anyway, and it shouldn''t really be that significant. My guess (without any evidence for it) would be that proxy ARP would perform better, and one to one NAT would offer better hiding of your IP address. Paul ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
> Benedict simon wrote: >> Dear All, >> >> i have recently used shorewall and have a query >> i have my mail and dns server right now using public IP >> >> i want to hide these IP from the external world >> >> now in terms of perfomance , reliability, speed, security which one >> would >> be better to implement >> >> proxyARP or one to one NAT >> >> apprecite your help > > Is there any special reason why you want to hide your public IP? There > are a few tricks people can use to find it out anyway, and it shouldn''t > really be that significant. > > My guess (without any evidence for it) would be that proxy ARP would > perform better, and one to one NAT would offer better hiding of your IP > address. > > Paul >Thanks Paul for ur quick reply actualy my main reason was jus to hide my public IP webservers n mail servers+ dns servers from outside world but if u do say i wont hav much significance i guess it beeter to have the same setup as of now regrds simon> > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It''s the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. >-- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
On Sat, Jun 07, 2008 at 02:48:21PM +0300, Benedict simon wrote:> > > > > Benedict simon wrote: > >> Dear All, > >> > >> i have recently used shorewall and have a query > >> i have my mail and dns server right now using public IP > >> > >> i want to hide these IP from the external world > >> > >> now in terms of perfomance , reliability, speed, security which one > >> would > >> be better to implement > >> > >> proxyARP or one to one NAT > >> > >> apprecite your help > > > > Is there any special reason why you want to hide your public IP? There > > are a few tricks people can use to find it out anyway, and it shouldn''t > > really be that significant. > > > > My guess (without any evidence for it) would be that proxy ARP would > > perform better, and one to one NAT would offer better hiding of your IP > > address. > > > > Paul > > > > Thanks Paul for ur quick reply > actualy my main reason was jus to hide my public IP webservers n mail > servers+ dns servers from outside world > but if u do say i wont hav much significance i guess it beeter to have the > same setup as of now >As it happens, no matter what you do, mail and http requests still need to reach the server. So, if the services are not properly secured, hiding the IP addresses will gain you nothing as they must still be reached by external entities. Otherwise, you may as well just shut down the machines. You make your life lots easier if you simply have them with public IPs to begin with. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Benedict simon wrote:> ... > Thanks Paul for ur quick reply > actualy my main reason was jus to hide my public IP webservers n mail > servers+ dns servers from outside world > but if u do say i wont hav much significance i guess it beeter to have the > same setup as of nowNow you''re confusing me. If you mean that your web, mail, and DNS servers are currently unprotected by packet filters, then the answer is different. If you just mean that you want to move them from public to private IPs, my previous advice stands. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
> Benedict simon wrote: >> ... >> Thanks Paul for ur quick reply >> actualy my main reason was jus to hide my public IP webservers n mail >> servers+ dns servers from outside world >> but if u do say i wont hav much significance i guess it beeter to have >> the >> same setup as of now > > Now you''re confusing me. If you mean that your web, mail, and DNS > servers are currently unprotected by packet filters, then the answer is > different. If you just mean that you want to move them from public to > private IPs, my previous advice stands. >Hi guys, Thanks for the replies actually i have a cureent setup running for sometimes n workin good my internal network of servers ( like mail, web , dns ) are under shorewall with public IPs but there was jus a debate as to run the public servers currently on pulic ip to have private IPs n NAT them ... as enhancing the security .... thats why i was thinkin of implementing it Thanks u guys n apprecite regards simon> > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It''s the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. >-- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Benedict simon wrote:>actually i have a cureent setup running for sometimes n workin good >my internal network of servers ( like mail, web , dns ) are under >shorewall with public IPs > >but there was jus a debate as to run the public servers currently on pulic >ip to have private IPs n NAT them ... as enhancing the security ....NAT seems to fascinate some people, strange how "broken" should come to be regarded as "good" ;-) NAT won''t protect you from a compromised machine being used for outbound attacks on others - a good firewall will. NAT won''t stop anything inbound that couldn''t be stopped by a good firewall. The only difference is that should the firewall fail (such as Shorewall fail to load) then NAT does provide the equivalent of a "drop all" policy. If you have it working, then don''t change it. IMO, NAT breaks far more than the minor security benefits are worth. Come IPv6 we''ll be using public IPs again, then we can have the same argument all over again :-) ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
> Benedict simon wrote: > >>actually i have a cureent setup running for sometimes n workin good >>my internal network of servers ( like mail, web , dns ) are under >>shorewall with public IPs >> >>but there was jus a debate as to run the public servers currently on >> pulic >>ip to have private IPs n NAT them ... as enhancing the security .... > > NAT seems to fascinate some people, strange how "broken" should come > to be regarded as "good" ;-) > > NAT won''t protect you from a compromised machine being used for > outbound attacks on others - a good firewall will. > > NAT won''t stop anything inbound that couldn''t be stopped by a good > firewall. The only difference is that should the firewall fail (such > as Shorewall fail to load) then NAT does provide the equivalent of a > "drop all" policy. > > If you have it working, then don''t change it. IMO, NAT breaks far > more than the minor security benefits are worth. >Thanks for ur mail really do apprecite. i guess n will stick to ur advice of not changing anything as the setup is running good for last 1 year regards simon> > Come IPv6 we''ll be using public IPs again, then we can have the same > argument all over again :-) > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It''s the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. >-- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php