While the inverse masquerading described in the previous section allows at least one service of each type (e.g. one web, mail and FTP server) to be exposed, the method is subject to some restrictions.
- The service of the exposed host must be supported and ‘understood’ by the masking module. For example, some VoIP servers use non-standard, proprietary ports for advanced signaling. As a result, these server services can only be operated on connections without masking.
- From the security standpoint, it must be noted that the exposed host is in the local network. If the computer is hijacked by an attacker, it would be open to abuse for attacks against other machines in the local network.
Note: To prevent attacks from a 'cracked' server on the local network, some devices feature a dedicated DMZ interface (e.g. the LANCOM 7011 VPN). Other models with a 4-port switch are able to separate their LAN ports (either individually or "en bloc") by hardware on the Ethernet level (LANCOM 821 ADSL / ISDN, LANCOM 1511 DSL, LANCOM 1521 ADSL, LANCOM 1621 ADSL / ISDN, LANCOM 1711 VPN, LANCOM 1811 DSL and LANCOM 1821 ADSL).
