/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
>rich <[EMAIL PROTECTED]> wrote:
>>
>> Anyway, here is one more quick question -- since these web servers
>> were once in front of the firewall and now are behind, AND all the
>> users point to a DNS on the OUTSIDE, which means they only resolve the
>> OUTSIDE addresses -- can you make the portfw work from BOTH sides???
One solution that is working well for us:
Use a second firewall.
PROS:
-You see what the client sees, if there's a problem with the firewall you
experience it too.
-You can use more restrictive rules, since you know what traffic is coming
in & out
CONS
-Obviously you have to pay for more hardware (this cost depends on what you
got lying around)
-Need a second IP
-If same network, traffic traverses it twice (switches and 100baseT minimize
this)
Setting up a second network adds security, since each network has only 1
point of attack, but typically you'll need to allow more access through the
firewall (Telnet and/or FTP for maintenance), though you can restrict this
to your other MASQ firewall.
Putting them on the same network simplifies maintenance and firewall rules,
but adds traffic, and security failure on one imperils the other.
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
