I'm reworking my home (SDSL) firewall and am thinking about architecture. Previously, I'd just been running OpenBSD+ipfilter on a Sparc IPX, with packet filtering and NAT in the same box. Two interfaces, no application-level proxies. No inbound services, just outbound client stuff.
Recently I've been thinking about separating the packet filtering from the NAT box, by running the OpenBSD box as a "transparent" bridging packet filter, with no IP interfaces. Then I'd run a second similar box as the NAT router, possibly with a set of packet filter rules as a second line against the bridging filter. This would be a three-legged config, with an outside and inside interface, and a DMZ interface/network on which to run some bastion hosts. My question is: at what point do the benefits of compartmentalizing functions like this, in their own (possibly differently-hardened or heterogenous) boxes, become outweighed by the complexity of configuring, managing, and monitoring such a setup? The more stuff there is to configure, especially without scary remote-administration tools like cfengine, the higher the probability of a mistake creating a hole. And the higher the difficulty of testing/validating. Thanks.... _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
