> > > The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ) is > > less > > > secure than the routed DMZ. I didn't say anything and thought > > "Uh, really? > > > Why?". > > > > Good for you! > > Good for me that I didn't say anything or good for me that I'm going to make > the WCP? :)
Good for you that you question rather than simply believe... > Unfortunately, you can't define in which chain rules go. (Watchguard > Fireboxes run on a highly modified kernel 2.0.38) > I don't know in which chain the organize their DMZ stuff. > > She told me, that she'll explain the whole DMZ stuff more exactly tomorrow. > Let's see if she knows what she's talking about... ;) Ah...with a 2.0 series kernel, you do *NOT* have a very flexible platform. As there are things you can do with 2.4 kernels and iptables that are difficult or impossible with ipchains, there's a *LOT* you can't do with a 2.0 kernel's packet filtering. I'm not familiar enough with the 2.0 stuff to know for sure, but that could very well be why a proxy-arp based DMZ isn't as secure. If so, just note that it's an artifical limitation of the firewall, and not a basic problem with the topology. Charles Steinkuehler [EMAIL PROTECTED] _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel