>>>>> "Ken" == Ken Hardy <ken @
Ken> But what CERN's cannot be configured for, AFAIK, is specific IP
Ken> addresses to _not_ access it. I.e., unless I want to enter all
Ken> my subnets (for a class B, plus some class Cs), I cannot
Ken> explicitely deny my border net (the DMZ).
The best way to configure CERN is to run it on an internal machine,
making it's outbound connections with SOCKS or call-compatible socks
replacement through the firewall. I would not run it on the bastion.