Fred writes: (about masking improperly addressed networks with a firewall)
>If you, say, use network 16 as your internal network, how will you tell
>your gateway to get packets to the real network 16 (Digital Equipment Corp.)?
>How will you ensure that you can get to both your network 16 and ours?
You can't. That's one problem with the scheme. So if my machine
is addressed as though it's in University of Fubar's network, and it's
really on DEC's network - I'm stuck. But then I was stuck/stupid to
begin with. ;)
The times when I've seen this work is when a network is being
"cut over" from an improperly addressed network to a NIC-sanctioned
network. It's still a win because it means that the network "cut over"
needn't be all-or-nothing, and it's a huge win because the firewall
provides an important service that people are willing to reconfigure
their machines to use.
Inside of Digital, we configure our FTP proxy to reject all
hosts that don't have a reverse address mapping. This way, if a
subnet isn't set up right, they don't get to use the FTP proxy. It
is amazing how quickly people will fix things if you give them a
reason to.
mjr.
|
|
