V2EX 首页   注册   登录
 xiaofami 最近的时间轴更新

xiaofami

  •   V2EX 第 70149 号会员,加入于 2014-08-07 13:47:04 +08:00
    2 G 24 S 44 B
    xiaofami 最近回复了
    6 天前
    回复了 xiaofami 创建的主题 宽带症候群 如何为动态 IP 设置 1:1 NAT
    @msg7086 DMZ 是安全措施,NAT 是为了能够被公共访问到,两者经常一起使用,但并不能说 DMZ 是用 1:1 NAT 实现的。某论坛上看到的这段话解释得很清楚:

    The idea of a DMZ is that you have servers that need to be accessed from the internet, as we all know. The DMZ is a separate subnet that's logically outside of your inside LAN by applying security policies to what traffic can reach it. The bigger issue is servers get hacked. Now, if that server is in a DMZ, logic would indicate that you've also created rules in your firewall (which has DMZ and inside facing interfaces) NOT to allow any traffic to originate from that DMZ server and make connections to your inside LAN, protecting your inside LAN if that DMZ server gets compromised. If you put that server on your internal LAN and then NAT a public internet IP to it, people are connecting from the internet to that server in your LAN, and if they crack it they will have access to everything else on your inside LAN from that box. If it were in a DMZ and gets hacked, the firewall will block the hacker from making connections to the inside LAN from it.

    What Sosipater is saying about how you'll probably use NAT in your DMZ anyway because many people create a separate DMZ subnet and assign private, non-internet-routable IPs like 192.168.x.x to the servers in the DMZ. You then have to "NAT" whatever public internet IP, from your ISP, to that private IP assigned to the server. In this case, you're using BOTH a DMZ and NAT.

    Either way, if the server is going to be accessed from the Web, use a DMZ! Its a best practice and just the smart way to go. You already have a firewall. The only cost associated should be if you get payed OT or not... ;-)
    6 天前
    回复了 xiaofami 创建的主题 宽带症候群 如何为动态 IP 设置 1:1 NAT
    @msg7086 我可能混淆了 DMZ 和 exposed host 的概念。一般家用路由器提供的“ DMZ ”功能,其实都是 exposed host ?如果没理解错,DMZ 的子网和 LAN 应该是不同的,而一般路由器提供的“ DMZ ”显然没有做到。
    另外对 DMZ 还有 2 点疑惑之处。一是如何加入 DMZ 区域。我的物理 NIC 没有直通,新建虚拟 NIC 没有问题,不过 ESXI Host 机外的物理设备貌似没办法接入。二是 DMZ 并没有解决 NAT 问题,还是需要做 1:1 map,于是又回到了问题的起点…
    家里的夏普空气净化器常年开,自来水中矿物质会在加湿网上结晶降低蒸发效率,更换原装滤网也不便宜,用纯净水较好。

    8 天前
    回复了 xiaofami 创建的主题 宽带症候群 如何为动态 IP 设置 1:1 NAT
    @boywhp @10467106 @Tink
    DMZ 貌似不行,我读到的文档说设置 DMZ 需要第三张网卡,我的 ESXI Host 机只有 2 张物理网卡,DMZ 即便设置好其他物理机也无法加入
    @LGA1150 @mooncakejs
    能多拨,终端也能独立拨号,不过感觉不如在路由端统一管理方便
    50 天前
    回复了 stcasshern 创建的主题 职场话题 选择留事业单位还是进互联网企业?
    事业单位裁撤的裁撤,合并的合并,转企的转企,将来只会保留少量公益类,时代早变了

    http://www.scopsr.gov.cn/ggts/flgg/
    怕是没听说过审计
    中央编办最近上线了一个信息报送平台给我们用,trs wcm 的,很不好用,感觉用 WordPress 都会比它强很多……
    98 天前
    回复了 hackpro 创建的主题 问与答 中国移动 8 元 4G 飞享套餐现在不能办了?
    DigitalOcean
    关于   ·   FAQ   ·   API   ·   我们的愿景   ·   广告投放   ·   鸣谢   ·   2951 人在线   最高记录 3541   ·  
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.0 · 56ms · UTC 01:50 · PVG 09:50 · LAX 17:50 · JFK 20:50
    ♥ Do have faith in what you're doing.
    沪ICP备16043287号-1