Comment Re:The big fix... (Score 1) 75
You also gain the bonus feature that with a single config line change, you can put one of your private "NATed" machines out in your DMZ and don't have to reconfigure anything else but one entry on the firewall
To people who care about security and know their stuff that is a bug not a feature. Think about what happens if one day someone fat-fingers the firewall config. The DMZ servers would be hardened so they might survive the exposure. The other machines on your private network are unlikely to be safe when accidentally exposed to the world. In many real world corporations there are usually servers that can't be locked down that tightly.
Really? That's your argument?
If you are using a many-to-many NAT setup (as many reasonably sized companies would require), you are able to place up to one machine in the DMZ per external IP. So the mistake in question is already possible without
Furthermore many large companies have never used NAT, and they don't have these problems. They have only ever used public IP addresses, and a stateful firewall. They avoid issues like you are talking about by being careful, and having security in depth. For example having multiple firewalls, can prevent accidentally placing a machine in the DMZ with a single mistake. You could make it such that an IP address must be explicitly listed in the edge firewall to be in the DMZ. If you also have the inner firewall configured to require stateful connections for all machines, then the only way to accidentally expose a machine is to make two mistakes. The mistakes could be placing an internal machine in the DMZ vlan and also adding its IP address to the edge firewall, or managing to mess up the configuration of both firewalls simultaneously.