On Mon, 8 Apr 2002, Mikael Olsson wrote: > (Or strip URG data, which is what a proxy usually would be doing ;))
Not really, the proxy would be using URG if it was necessary in its role as a client. > Isn't there an interesting flip-side to this? That since the firewall > needs to know about all of this (it being properly upgraded and > professionally administered and all), it can also trigger alerts on > these events? Perhaps. > > 4 Ultra2's with 3 QFEs each (yes, the U2 is EOL, but that's how I used to > > build them.) Lots of PCs with Linux and open source proxies. One box > > with lots of proxies and per-ruleset and per-address block IP to proxy > > mappings. Alternately, IPSEC to the proxies. That's if you want fair > > seperation, otherwise, just do it in the rulebases. > > Are you telling me that you've actually set up and successfully supported > installations like this? (With or without IPSEC to the proxies?) Without IPSEC, though without as many seperate zones (but engineered to have many more in some cases.) > Don't get me wrong; I'm just baffled and would truly like to know. > > On another note: I think my original question was more aimed at > commercially available stuff, although I didn't say that - I know. Open The U2/multiple QFE solution was commercial, and Internet-facing. The Linux/Open Source stuff was to firewall WAN links (proxy-to-proxy.) > source is all well and good, given the standard set of arguments, but > often you also trg gb or fpnerq fuvgyrff ol fbzr crbcyr'f (ynpx bs) > pbqvat cenpgvprf. But then again, that's all IMHO and very inflammatory, > hence the ebg13. Indeed, however I was sticking to my experiences fielding such things- and without the enterprise license from hell, it gets expensive to go with the commercial alternatives. FWIW, I'm more scared by what I've seen out of vendors. > to hash out. I'll try to stay away from evangelism and flames if you > do the same, mkay? :) What fun would that be? ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
