On 2023-07-11 01:15, Marc Chamberlin via openSUSE Users wrote:
Bob Rogers wrote:
From: Marc Chamberlin via openSUSE Users users@lists.opensuse.org Date: Sun, 09 Jul 2023 22:48:31 -0000 OK, so now you've renamed the zone for what it does (though a simpler, more rose-like, name might have served better).
LOL, OK how about IMZ for internal militarized zone? I am not clear why the network hawks chose to use a military term (DMZ) for describing a particular type of network design, but I really don't care about the name, just the functionality.
But I think we're all still a bit unclear on what you hope to accomplish by having a separate network for external traffic. If this traffic all goes to the same hosts anyway, what difference does it make? In terms of security, or ease of configuration, or anything else?
What I want is for each system to present a different set of capabilities depending on where the access to that system is coming from. For example the security cameras will require authentication if access to the computer that controls them comes from the internet via my IMZ zone. So I want to route all traffic that comes from the internet, destined to a particular public IP address, to be routed onto the IMZ zone and passed to the computer that controls my security camera. But if access comes from my internal zone, then no authentication will be necessary.
Same goes for my computer that controls a telescope. I will want to be able to do things with the telescope (that potentially could damage the telescope, if mis-used), if I access it from my internal network (or from a VPN). If a guest accesses the telescope via a particular public IP address (that I own), that user will be routed via my IMZ zone to where he/she can access the telescope control computer via a different NIC and thus a different web interface that is more limited in capabilities.
In other words, each of my computers will be "two-faced" and depending on how the computer is accessed, will determine which side of the computer's "faces" will be presented. Andrei seems to be implying that this particular use case is uncommon and possibly not easy to support. To me, as an object oriented designer/developer this type of usage of computers on a network seems to be an obvious one and should be easily supportable.
I suspect it is impossible to enforce. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)