[BlueOnyx:04834] Re: Firewall for Datacenter

[Michael Stauber]

Hi Christoph,

> I have to counter that, actually if you desire that setup, its as easy
> as blocking all traffic in the incoming interface of your bridge and
> allowing what you want. Probably a good start for a proper firewall
> setup anyway.

True. But I rather have unused ports unconnected to begin with, than to have 
something theorethically open, but then have to put a measure in place to 
close it. Compared to the hassles that NAT otherwise imposes, this is just a 
very setback.
 
> I believe you would need a perfect copy for forward and reverse entries
> internally on the natted network anyway sooner or later or the sort of
> problems you never thought about beofre will pop up over time ;)

Exactly. I've had to maintain such a carbon copy of my DNS in the last couple 
of years for my own NAT'ed network. As my DNS doesn't fluctuate that much 
(aside from adding or removing a VPS or a domain every couple of weeks) this 
was manageable. But I wouldn't want to deal with it on a daily basis.
 
> I still would say it is bad advice/proposal to Gerald renumbering his
> network, just because the product in question doesn't support that
> setup. 

That's right. A firewall is an important piece of the network architecture, 
but it shouldn't dictate you how you have to structure your network layout. 
Also Smoothwall only supports 3 NICs at the most, which - for me - isn't 
enough ("RED", "Office", "DMZ" and "WLAN").

-- 
With best regards

Michael Stauber