> Here are my questions: > > 1. Is it still true that some systems absolutely cannot be made to work with > NAT?
Absolutely. The truely paranoid do cryptographic authentication of the *entire* packet, including the IP address and IP layer checksums. Any tampering with these packets (even a fairly innocuous NAT of the source/destination IP) will invalidate them. > 2. Anyone care to comment on the security and adminstration issues with > managing a network of routable addresses from behind a LEAF box? Your firewall problems are much trickier when using public IP's. Get anything wrong, and you can have inbound ports available to all machines, leaving them open to port-scanning, if nothing else. You might consider blocking pretty much everything but VPN traffic and forcing everyone to use application layer proxies...kind of depends on how secure you need to be, and how comfortable you are crafting firewall scripts. > 3. Are there any architectural "tricks" that can be used to create VPN > gateways that allow full access into a private network from only one trusted > host outside --- and is this a good idea? There are lots of good tricks...kind of depends on what sort of VPN protocol and software you're talking about. You have to decide if any particular network architecture is a good idea for you, but in general, hooking networks together with a VPN is just like hooking the remote users to your local, physical net...your increased security risk depends a lot on who's running the remote system. > 4. Are there example configs around where a LEAF distro has been setup to do > such things? Hmm...not a lot, but if you need to connect a bunch of folks with public IP's, you can use the DMZ scripts (just pretend all your users are on DMZ machines), or the border-router features of the Dachstein scripts (although these haven't seen a lot of testing). Some of the alternate firewall options (ie seawall, rcf, &c) may also have good support for this sort of network...I don't know. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
