OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: 8191 on August 02, 2020, 09:24:11 am

Title: Why using stunnel via NAT only?
Post by: 8191 on August 02, 2020, 09:24:11 am

Hi,

the stunnel documentation (https://wiki.opnsense.org/manual/how-tos/stunnel.html) and as well the GUI help on the plugin's configuration mention, that it's safest to bind stunnel to localhost only and use NAT to forward traffic to stunnel. On the other hand online help for NAT (https://wiki.opnsense.org/manual/nat.html) mentions that NAT should not be used as a security measure.

So my question would be:
Why does the author of the stunnel plugin consider binding to a loopback address consider more secure than binding to the interface address, which is protected by pf anyway?

Thanks and BR
Manuel

Title: Re: Why using stunnel via NAT only?
Post by: fabian on August 02, 2020, 02:05:41 pm

The lo0 interface will not go down so a network outage or IP address renew will not crash the daemon. If you have a static IP and a stable connection, it should not make a difference.
The alternative is to bind to all IP addresses with 0.0.0.0 and ::

Title: Re: Why using stunnel via NAT only?
Post by: 8191 on August 02, 2020, 09:40:23 pm

Thanks for explanation! So the reason is more a stability issue than a security issue?