I totally understand your dilemma and your desire to find a software, Linux solution. I mentioned this OT situation as perhaps we are expecting too much from any software. The fact that Suse can Maintain a well structured and stable SFP Firewall is to be well appreciated. I made the comments regarding Hardware, as I feel we expect far too much of software to handle what is essentially a Hardware issue and one this is very easily solved and dealt with by Hardware. Perhaps our search for a software solution is not the most expeditious and most practicable solution for addressing both Network Address Translation and maintenance of VPN tunnels. Hardware solution which can maintain both, like the unit I use, contain an x86 processor and 64Meg of RAM and operate on a Unix Operating System. I appreciate the challenge of allowing software to perform the above duties for us and perhaps we are trying to re-invent the wheel where for many many years we have had really god stable hardware devices available. I also think that we have been sold the wrong end of the plug to resolve security issues and to maintain other duties like SPI, NAT, VPN; by many many software companies. Fundamentally I think using software to address comms issues and security is flawed. I think there is great merit to the idea that security starts at the plug in the wall and ends at the desktop - because for years - and MS (SP2) has had a great influence in our thoughts - that comms and security issues be dealt with before we had over comms to a Workstation and Desktop. It a bit like trying to catch the bull after we have left the gate wide open for it to get out. I appreciate your healthy discussion and reply. Kind Regards Scott 8-) M Harris wrote:
On Tuesday 17 April 2007 19:52, Registration Account wrote:
I am interested in your comment about Network Address Translation not being happy with FTP.
hi Scott-- its a linux NAT thing. It depends on your distro... and how much you know about NAT (configuration)... but basically there are some services that have not worked well (historically) with masquerading (the linux software implementation of NAT). Special modules were always required for instance to fix irc and ftp in order to work through ip_masq. Hardware NAT may not have this problem. The thing is that some firewalls/routers are really older (very much older) linux systems using ip_masq and ip_chains, and may not be setup properly with the fix modules for ftp and irc. So, its something to look into.