In article <[EMAIL PROTECTED]>, Brad Chapman <[EMAIL PROTECTED]> wrote: >> My firewalls have between 3 and 10 interfaces connecting up to 8 >> subnets and "the Internet." Half of the interfaces are some kind of >> crypto tunnel (IPSEC, CIPE, whatever). Usually at least one interface >> on any given machine has a dynamic IP. Most machines have at least two >> uplinks to the Internet, although only a few use more than one at any >> one time. > > Wow. Those are some serious server machines :)
I'm sure these machines are flattered to hear themselves called "serious servers". ;-) The machines start out with one or two interfaces, then they grow over the years until they reach some maximum manageable size, then they seem to split in two for reliability or isolation purposes. I get roughly the same amount of implementation heada^H^H^H^H^Hcomplexity from a laptop with just its built-in hardware plus a PCMCIA card as I do from a medium-sized corporate firewall. A laptop might have a half dozen different ways to get a network connection, even if it can't physically use more than one or two at a time...but if the laptop also has a VPN to Head Office, then that's two interfaces in action at once, so I have to make sure the laptop can't act as a router...unless the laptop is running VMWare with some program that has to access the VPN, in which case the laptop _does_ have to act as a secure router. A corporate firewall might start with private/public interfaces, then later get either a full-time redundant internet uplink or part-time failover to dialup PPP. Then you add a DMZ. Then you add a modem pool. Then you merge with another corporation. Then you add VPN's. Then you consolidate a bunch of old proprietary network hardware into the Linux firewall. Then you add a branch office. Then you add another vendor's VPN's. Then you purchase a smaller corporation. Then you add wireless. Then you try to upgrade from ipchains to iptables, and you realize that sometimes backward compatibility can be a Good Thing. :-) -- Zygo Blaxell (Laptop) <[EMAIL PROTECTED]> GPG = D13D 6651 F446 9787 600B AD1E CCF3 6F93 2823 44AD
