EFW best practices, port forward per port or 1:1 nat?

[Guest]

[bangsters]

Hi.

How did you guys implement EFW in your cluster? 

1. Port Forwarding.  All ports are disabled except for the specific ports which are natted to the private IPs.
2. 1:1 NAT.  Then in Firwall -> System Access disalbe specific ports, or enable these ports only for certain IPs.  Like ssh and rdp ports only allowed on your IP.

Which method are you using?  Currently how we implemented ours is using the first one.  ALl ports are disabled.  We enable specific ports (80,143,443, 25, etc) for each and every public IP and destination private IP.  The result is a very long list of port forwarding rules.

Is the second option above a better choice?  Why or why not?

Thanks

[bangsters]

bump anyone?

[sterilegenie]

Im currently using Astaro Security Gateway and Im using Snat and Dnat, the rules are long, its a pain in the arse to get setup but once its done..... its done!
Im looking at Endian right now because I have reached my user license limit. I hope others chime in on this one to see what others suggest.

[itguy12]

What about SNAT? Do you have certain private IPs source NATed out as an external IP that is not your firewall IP? How did you accomplish this?

[theonegod]

I just setup one of these and I used Port Forwarding with access control entries in addition to SNAT settings. The list IS long but you can speed the process up a bit by editing the config file directly.