On Thursday 23 October 2003 02:50 am, Erich Titl wrote: [...] > There is no NAT on the inner firewall, but then there is no NETBIOS traffic > either through the firewall.
Hmmm... so it is running proxy-arp on the inner firewall (assuming this is the only way you can filter w/o routing). > I know that routing is going to be tricky, we will probably drop the > extrudet subnet idea as it is too big a security risk to have a subnet > extended right into the heart of our secure zone. Yeah, if the firewall is answering a /16, then it is likely not the best idea to keep them on the same subnet. It might be a better idea to proxy-arp the DMZ and route/NAT the internal net which keeps the DMZ on a seperate subnet behind the firewall. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html