OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • 20.7 Production Series »
  • Why using stunnel via NAT only?
« previous next »
  • Print
Pages: [1]

Author Topic: Why using stunnel via NAT only?  (Read 242 times)

8191

  • Jr. Member
  • **
  • Posts: 57
  • Karma: 4
    • View Profile
Why using stunnel via NAT only?
« on: August 02, 2020, 09:24:11 am »
Hi,

the stunnel documentation and as well the GUI help on the plugin's configuration mention, that it's safest to bind stunnel to localhost only and use NAT to forward traffic to stunnel. On the other hand online help for NAT mentions that NAT should not be used as a security measure.

So my question would be:
Why does the author of the stunnel plugin consider binding to a loopback address consider more secure than binding to the interface address, which is protected by pf anyway?

Thanks and BR
Manuel
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2436
  • Karma: 171
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Why using stunnel via NAT only?
« Reply #1 on: August 02, 2020, 02:05:41 pm »
The lo0 interface will not go down so a network outage or IP address renew will not crash the daemon. If you have a static IP and a stable connection, it should not make a difference.
The alternative is to bind to all IP addresses with 0.0.0.0 and ::
Logged

8191

  • Jr. Member
  • **
  • Posts: 57
  • Karma: 4
    • View Profile
Re: Why using stunnel via NAT only?
« Reply #2 on: August 02, 2020, 09:40:23 pm »
Thanks for explanation! So the reason is more a stability issue than a security issue?
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • 20.7 Production Series »
  • Why using stunnel via NAT only?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2021 All rights reserved
  • SMF 2.0.17 | SMF © 2019, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2