I have a Comcast business connection with a /29 block and a Ubiquiti EdgeRouter.
I need to forward some ports (same ports for each server) to a few internal servers, and each server has its own public Static IP.
I seem to have two options
- DNAT only the specific ports I need (and also allow only those ports through the firewall), or
- I can DNAT all ports for each IP address and just block everything except those ports on the firewall.
What is the best practice here? From a management perspective, DNATing everything is easier, as I can create a port group and I then need just one DNAT rule and one firewall rule per IP, whereas (at least with the EdgeRouter) I would otherwise need a separate DNAT rule for each port or port range.
But are there performance or security reasons not to DNAT everything and just block at the firewall? I know on the EdgeRouter that DNAT happens before the firewall, so I assume DNATing everything gives a slight performance hit, but is it enough to matter?
Thanks!
No comments:
Post a Comment