> At 3:25 PM 9/17/96, Chris Garrigues wrote about Mark's picture
> of a "triple homed" firewall:
> >I see maps like yours all the time, but I'm uneasy about real
> >routing happening on my firewall. It just seems to me like
> >there's potential risk in running routing software on a firewall.
> Quite so. Correct packet flow must be enforced by something more than IP
> level routing. The picture only makes sense if you've set up a firewall
> proxy to enforce the flow. All web server accesses should be sent to the
> isolated subnet containing the Web server and no incoming Internet
> connections should be allowed to flow directly into the database server's
> net. The "routing" in this case isn't handled by the IP layer, it's handled
> by socket layer proxies.
Ok, you guys are great, I appreciate everyone that responded.
Hopefully I have enough with which to make a sound decision, and
I'll continue to lurk in either case. :)