Vic, Thanks a lot for your answer.
using linux firewalls on z/Series is not an option. Our security people have their own firewalls, networks, procedures ... and we must use them. If I can't turn off the direct connectivity, I will have to try something else. An option would be to buy an OSA-2. or VLAN in the future if VLANs are really isolate from each other (also in the OSA-E) Regards, Herve -----Ursprüngliche Nachricht----- Von: Vic Cross [mailto:[EMAIL PROTECTED]] Gesendet am: mardi, 15. octobre 2002 14:43 An: [EMAIL PROTECTED] Betreff: Re: Content zone question On 15.10.2002 at 14:51:24, Herve Bonvin <[EMAIL PROTECTED]> wrote: <snip> > I have 2 OSA-E ports. One for the content zones and one for the intranet. Is > it possible to share a port between the 2 content zones ? Direct communication > is of course not permitted. I was not completely clear where the firewall is going, but keep this in mind: any systems that share an OSA-E port will have direct connectivity between them. This is provided by the microcode of the OSA-E and I do not know of a way to turn it off. So, if the firewall is meant to isolate all three systems from each other, then you will need another OSA-E port. If two of the zones can have direct connectivity, they can share a port. Also keep in mind that some very effective firewalls can be built using iptables (ipchains for kernel 2.2). It may be feasible for two of the systems to use Linux firewalling to allow them to share an OSA-E port; the requirements for the isolation (from each other) of those systems might not be as stringent as you would require in protecting your DB2 zone from the Internet. (did that make sense?) Cheers, Vic Cross
