NAT redundant w/firewall?

Firewalls don't require NAT, NAT is just for routing and in the case of home users networks, so that more than one node can share a public IP.

We have several networks that have 1:1 NAT mode, several that have Drop- In mode (where all interfaces have a public IP), and most a 1:Many NAT setup.

What you see in most of the home network routers is a 1:Many NAT solution that is claimed to be a firewall solution, it's not.

A 1:Many NAT does make a nice protective barrier solution for your home network, as nothing gets in that you didn't invite, but there are some products are less protective of the session than others. Get something that states it has SPI and your home network should be safe enough.

Thanks, but I now fear my question was so dumb as to be misinterpreted. A number of systems on a private network share one connection for HTTP, HTTPS, and FTP, currently through SYGATE and thence through the firewall. Since the firewall won't do IP translation, I'm supposing the firewall would simply allow the private IPs direct access to the Internet, which of course wouldn't work.

nf

I'm confused about your setup, but I don't understand why your non-game server nodes would have any change at all.

Since all firewalls have a NAT mode, since Sygate will do NAT, then it's just a matter of mapping the servers and rules to protect your systems.

The Sygate I'm referring to is the pre-Symantec NAT for NT. I'm moving gateway server software to (relatively) new hardware - a fresh install when cloning the HDD didn't work. I found the license for Sygate but couldn't find the install file. I was (painfully) editing the registry to use the previous install, and wondered if I could use the firewall as a NAT. Then, through some fortunate fluke of fate, I came across the Sygate install file in an inexplicable place!

All firewalls have a NAT mode? I don't see that ConSeal can do translation.

Sorry, I was speaking of real firewalls, ones that run on dedicated boxes (like checkpoint) or appliances.

Sygate would allow 1:Many NAT mapping in the old days, not sure about now as I've not used it in a long time.

No matter what, you don't want that server directly on the Internet.

With Sygate inside the firewall? Why not?

I think you are either not telling me everything or I'm not understanding what you have setup.

Sygate runs on a PC, that means that you have to expose the server to the internet.

If you have a firewall and then the PC, you don't need Sygate.

The setup is a software firewall and NAT on one server, connected to the Internet on 5-bit DSL subnet, w/HTTP service between the FW and NAT. Are you saying this is destined for compromise, or only that a firewall outside the server reduces risks?

INTERNET || FIREWALL SERVER || APP/GAME Server

If this is how you have it setup, then only the Firewall Server is connected directly to the Internet, so it's the one that you risk the most with.

If the firewall server is running a Windows version, then you're open to all sorts of exploits/compromises, even if you lock it down against currently known threats. This location - the firewall, is best served by a firewall appliance, one that doesn't have all the exposure points of a full OS/Application service.

I would do this if I were you:

INTERNET || Public IP's || Firewall Appliance NAT 192.168.16.0/24 || Server 1 (192.168.16.10,11,12,etc as needed for games) Server 2 (192.168.16.20,21,22,etc as needed for games)

Setup rules for Ext>192.168.16.10 (TCP and/or UDP ports as needed) Setup rules for Ext>next

Create rules as needed to ONLY allow inbound connections on specific ports that are required for the games to run.

As for server management, VPN into the Firewall (as the quality ones act as a VPN Server so you can connect direct to them), then create rules that permit your VPN User to access the servers as needed.

That looks like good advice, thanks. But the cost of a firewall appliance to handle 5 public IPs is a budget buster. BTW, no games on the network. HTTP service on the server w/the firewall. Workstations browse thru the NAT. I'll probably just lock down and monitor as best I can for now.

Why not use a smaller Firewall Appliance, there are small units starting at $500 and increasing in price from there.

Netgear makes a small product that IS certified that I've used in some small installations and a couple Sororities: Netgear Part #FVL328

About $250 and is the smallest unit I would consider a firewall.

Very impressive FW for a SOHO but apparently limited to one WAN address.

Sorry, I didn't check that.

The WatchGuard X500 is the minimum I would start a SOHO business out on, at least one that I wanted to feel as though I protected them. The X700 is my normal starting point for any business of other type, meaning larger than a home based business.

I'm thinking a fun project would be to take one of these 2-lan VIA boards and make an internet firewall/NAT out of it:

It's very common to use a Dual LAN (nic) System for a firewall, but, in case you missed it, most Firewall Servers are running a Nix OS, stripped down of all unnecessary services, and then have a quality firewall application installed. The server is not used for any other function, just a firewall, CheckPoint Firewall-1 is a typical example. We have a couple FW-1 solutions with 4 NIC's in them, they have worked well for years - but the system was actually built by a authorized CP reseller.

If you're considering doing a Server with a Windows OS, just reconsider and find a viable Linux solution.

I thought the fun part would be designing and coding an OS-independent bootable firewall. Not that this would be ready any time soon...

Am I wrong, or does the x500 cost $1000+?

If so, for the vast majority of home users, you're *way* out of the financial ballpark.

Notan

I don't believe you read the post properly. I didn't put the X500 in the Home user market, I put it in the SOHO market (please google if you don't known what SOHO is).

Residential users don't normally have more than 1 Public IP, so the Netgear Part #FVL328 would be a perfect Home User firewall.

The term, "SOHO," is not well defined.

Someone business of knitting, then selling, sweaters from home, can, in fact, be referred to as a Small Office / Home Office.

Notan