* Philipp Rusch wrote on Tue, Nov 12, 2002 at 17:46 +0100:
Did you do something different on your production system, Steffen ?
Yes :) The productive GWs use ipchains, since iptables were not trusted by us when we set it up. Then I don't tried to masquerade IPSec; with ESP it could work in some rare cases (when you have a single connection IIRC), with AH it cannot. I simply gave the VPN GWs real public IPs. I don't want to have Masq in VPN, I want the clients to see it as a LAN/WAN (for the clients, it just looks like there were leased lines all around). Well, and in such a configuration, usually you should not allow workstations to go out to the internet with masquerading, since it's a little dangerous (not having masqurading for workstations is a nice and very strict egress filtering :)), imagine of trojans and spyware. Well, we have proxies... I must say, Masquerading looks always like a kind of hack to me, not the best choice for companies corporate distributed networks. I prefere to have an DMZ to provide services such as eMail. Well, most "networks" *want* masquerading, but even in this case you can do masq and VPN on the same physical router - the one between LAN and Internet. I think this is a natural, straightforward setup, and most masq routers to firewalling (packet filtering) anyway. And I think "KISS" (keep it simple, stupid) applies for networking as well as a software design principle, other admins may need to understand when I am in vacation :) Finally, I think, when designing firewalls, it a complex task to create the right rules. For instance, if you have active FTP for both directions without port restrictions, you can turn of the firewall nearly... When you have a simple, straightforward setup, it's much more easy to design the rules correclty, and thus there is less risk (I think the risk no. 1 isn't a bug in ipchains code, but in the rules, since they are designed by humans and difficult to test). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.