In article <199510021231 .
>the proper kind of firewall (dual-homed gateway, nice name). To make
>this work perfect one would like to have the possibilty to reserve a
>small part of the official adresses (class C?) to be 'translated' in a
>static way to the internal adresses of the servers to be reached from
>the outside world. The remaining part should make a 'pool' to be
>dedicated dynamically (only when needed) for those IP-hosts that need
>connection from the inside to the Internet.
Well, an application layer gateway (and some filters) can provide
simple translation to the IP of the firewall. It is trivial to
decide to use another address, but you may *not* want to do this
Why? That gives no information to the remote machines about
who is connecting via DNS. If you do not want to give them info,
then use either the firewall itself (often called gateway.foo.com,
or foo.com), or use some "typical" name like "marketing.foo.com"
for all the PCs in marketing.
The other reason not to dynamically allocate things is that
it makes rules a pain. That isn't to say that you need to have
a different IP for each utility device. (each printer). You
might have 1 "printers.foo.com" (or service.foo.com) with rules that
map 100 ports on that "virtual machine" to the correct
Why you want people from the untrusted side to be able to
print is not a question I'll ask right here :-)
>MY QUESTION: Does someone works already in this way?
>I read RFC1627 and I am not happy with it. I will not discuss every
>item in it in this forum, although I think that this could be usefull.
My feeling is some group of managers at large companies do not
want to spend money on IPv6 now. If rfc1597 can avoid the crunch,
they think, then do not spend money. 1627 is a respond from the
engineering people who say (quite rightly) "you snooze, you loose"
:!mcr!: | <A HREF="http://www.milkyway.com/">Milkyway Networks Corporation</A>
Michael Richardson | Makers of the Black Hole firewall
NCF: aa714 || xx714 | +1 613 566-4574 ... mcr @
Home: <A HREF="http://www.sandelman.ocunix.on.ca/People/Michael_Richardson/Bio.html">mcr @
ca</A>. PGP key available.
From: toon @