Jeff Waugh wrote: ><quote who="Andy Eager"> > >>OK, I'm prepared to be knocked down in flames here (only if your gentle) >> > >You want to be flamed for the consultant's suggestion? :) > No, but I backed it up with my own research, therefore it makes it mine as well!!!
>>but recently I paid a reasonably well known Linux consultant to advise me >>on a job I'm doing for a paying customer to install a firewall (that has >>to do masquerading of all well known services). His/her sugestion was to >>stick with ipchains for the time being (preferably under 2.2 kernel >>because the helper modules were already written and known to work) >> > >His/her suggestion was absolutely correct (if you need to do masq on all >well known services). Generally, for everyday business firewalls, you don't >have to worry... How often do you find that h323 is an absolute requirement >for a small business? > >- Jeff > Jeff, I absolutley respect your opinion, after all you pointed me in the direction of postfix in all its glory and I owe a great many beeeeeeers for that and a great many emails on other things as well. However, I dont know that H323 (as esoteric as it may be) is what we were talking about here. Masquerading of _WELL KNOWN SERVICES_ like telnet, realaudio, ssh etc is the key point. As far as I can see, NAT (a particular case of masquerading) has a limitation with these well known services when compared with ipchains. The old helper tasks handle connection tracking (which is a real bastard) as well as NAT... Particularly if you need to masquerade through both bastion and choke firewalls. If I'm missing something someone please let me know. Yours enquiringly, Andy E. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
