Is it possible to have a machine behind a firewall AND have a public IP address?
Is it possible to have a machine behind a firewall AND have a public IP address? What is this called or where can I find more info?
My initial reaction is: No, this is not possible because if a machine is behind a firewall it will have private IP address and external communication will be via NAT.
Solution 1:
Most non-enterprise firewalls operate in one of two modes: NAT or bridged
NAT is the traditional topology that you're thinking of. The firewall has the only public IP on the network, and is translating between it and a private, non-routable class. In this case, machines "behind" the firewall have private IP addresses, and therefore are not publicly routable.
In bridged mode the firewall is configured to effectively cover an IP "space." This space is basically the network/netmask on which the IPs are located. For example, for the publicly routable class 74.52.192.0/29, which encompasses 74.52.192.1 - 74.52.192.7, can be configured on a firewall with the firewall interface having any address in the range. If the firewall is in bridged mode and configured as such, you will be able to have machines connecting as any of the other IPs in the 74.52.192.0/29 network (the one that the firewall is using is of course unavailable).
Solution 2:
It is absolutely possible to do that. I work for a university that was lucky enough to get a Class B network (a /16 network in CIDR notation) back when they were passing them out (very roughly 20-25 years ago). Right this very moment my workstation, a workstation mind, is parked on a publicly routeable IP address. In fact, we have relatively few RFC1918 addresses in use. The few that are in use are used for PCI compliance (the standards mandate NAT) and network management. You just can't GET to my workstation from the public internet because the firewall prevents access.
In fact, the machines in our innermost secure sanctum are also running on public IP addresses. There are two firewalls between them and the public internet. When we contract for 'security scans' from 3rd parties, we have the ability to give them unrestricted access from an IP address they specify, which gives them the next best thing to 'on the same network' scanning. And then we take it away from them, and they can't get back in. It works great. Heck, this is how the Internet was intended to work back in that more trusting time before spam was invented. It still can.
In fact, IPv6 was originally designed around eliminating the need for NAT. There will be enough addresses for everyone, so the need to hide behind such gateways was (in theory anyway) made redundant. In other words, make the Internet work the way it was supposed to work. NAT support was bolted on very late in the process, in no small part due to staunch advocacy from the part of the InfoSec establishment that values invisibility as a defensive measure.
The key thing to keep in mind here is that NAT is not a fundamental function of a firewall, it is merely closely associated. When used with a firewall it merely obscures what attack surfaces may exist behind it. Our internet-facing firewall isn't doing any NAT at all, and our intranet-facing firewall is only doing a little (PCI-related).
I know many, many computer professionals who get a shiver when they discover the IP address of their device is publicly routeable. It is no less secure than an RFC1918 address when behind properly configured perimeter security devices. This 'public IP is bad' concept is enshrined in the PCI standards, and will have to be reassessed in light of wider IPv6 deployments.
Solution 3:
Is it possible to have a machine behind a firewall AND have a public IP address? What is this called or where can I find more info?
Sure. It depends on you having routeable IP address space, and a firewall OS that can also act like a router (Linux, and others).
If you have real address space that you can subnet then this is trivial. Just put a subnet on one of the network interfaces inside the firewall.
You can even do this using only a single subnet if you do some magic with proxy arp. Pseudo-bridges with Proxy-ARP.
Solution 4:
As you can see from the other answers, there are multiple ways to do this depending on what devices you have and what needs you have.
For example, the Juniper Netscreen series of firewall devices has a "Mapped IP" or MIP construct -- using this, you assign a MIP which is a real, routable IP address separate from the firewall's main IP address, and tell the firewall which private IP behind the firewall to pass the packets back to. The firewall uses policies to decide which services are passed back/forward to the private IP. NAT'ing is handled by the firewall; the private IP computer does not necessarily need to know what it's MIP is.
The old 3Com SuperStack3 had a DMZ function, where public IPs were defined as "in the DMZ". You configured your system as if it was a public-IP'd system, but again policies on the device controlled which services were permitted through.