On 3 August 2011 13:03, Johannes Meixner <jsmeix@suse.de> wrote:
I wonder why you seem to use firewalls inside your internal network to do this (i.e. with firewalls running on each host in the internal network)?
Why don't you do this with a firewall at the borderline of your internal network (i.e. with a dedicated firewall machine that protects your whole internal network)?
If a malicious user is inside your internal network neither explicit IP address requirements nor subnetting nor blocking what goes into your internal network helps.
The problem seems to be you are thinking of "firewall", whereas I answered a question about why you may want to filter packets or restrict access to services, in what is meant to be a "trusted" network. If you are in a large corporate network, then other people in other departments may be in charge of the corporate Internet "firewall", you cannot "balkanise" physically and branch offices require connection to services; because the infrastructure is shared for cost, flexibility & practical reasons. Modems may be less common now, but such was a possibility for subverting a corporate firewall, perhaps VPN's are more common now a days. The "trusted" vs "external" is as I think I said before too black & white and fails in real world situations, where not every employee is impeccable and departments can have conflicts of interest. For example one department may be spun off and sold to commercial rival of another part of the corporation. Furthermore one department may minimise disruption, whereas another that's open and poorly administered may be completely compromised. These are things I have personally experienced, it's the real world. Rob -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org