Bruno Cochofel wrote:
Ok, let's say I'll put a firewall PC on my network...
I have to create a masquerade rule to let the internet access my intranet web server right? (By the way, trying to find out how to do that under yast but don't get the diference between the option Source network and requested IP, so if someone help me on this I appreciate... There's several options to create a rule so please illucidate me)
Yes, that is an advanced firewall configuration, and it doesn't surprise me if it isn't easy.
Doesn't this rule opens a hole in my intranet security if, let's say, my web server get's compromised?
Yes it does. The usual "enterprise" way to address that is with an elaborate network, which has an outer firewall that is fairly porus and *not* NAT'd, a DMZ network populated with publicly routable servers such as your web server, an inner firewall that does do NAT, and finally your local LAN. Machines in the DMZ are more vulnerable, but that's fairly ok because your really important stuff is behind the 2nd firewall. The minimal-number-of-machines approach requires that you either configure the masquerade rule you mentioned, or hosting the web server on the gateway machine. The latter is just as horrible for the security of your firewall as is running X on your firewall. Unless you use AppArmor :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com