I think at some point it pays to monitor the end points. This allows a
much less complex (and therefore more verifyable) firewall. Under
either scheme, you're going to have to monitor your end points. Why
not just a group of access lists a 'la:
o These machines are allowed unfettered access
o These machines are allowed outgoing TCP access with incoming X
o These machines are allowed outgoing TCP access without incoming X
I guess it's my belief that a bunch 'o scripts and a little bit of
policy would make the job a lot easier.
With your scheme, I don't understand why you want an additional machine
involved in the decision. What happens if that machine goes down? What
if someone starts spoofing you?
There has been quite a bit of talk about teaching ip filter gateways
about the upper level protocols, like teaching gateways how to detect
when to allow an incoming FTP data connection. This sounds to me like
a slippery slope where the use of the Internet is limited, as it is
now, by the imagination of the FIREWALL MAINTAINER.
Harumph. The academic in me got me on a soap box there...