Hi Charles, hi all > Good for you that you question rather than simply believe... Ahh.. OK :)
> > Unfortunately, you can't define in which chain rules go. (Watchguard > > Fireboxes run on a highly modified kernel 2.0.38) > > I don't know in which chain the organize their DMZ stuff. > Ah...with a 2.0 series kernel, you do *NOT* have a very flexible platform. > As there are things you can do with 2.4 kernels and iptables that are > difficult or impossible with ipchains, there's a *LOT* you can't do with a > 2.0 kernel's packet filtering. I'm not familiar enough with the 2.0 stuff > to know for sure, but that could very well be why a proxy-arp based DMZ > isn't as secure. If so, just note that it's an artifical > limitation of the > firewall, and not a basic problem with the topology. Please note that, referring to my trainer, Watchguard don't use a standard 2.0 kernel at all. They rewrote the whole TCP/IP stack and the firewalling part. I don't know how far this is true. I'm sure they've still some parts of the original 2.0 code in their stack. I'll ask her for more details and let you know. --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch | http://leaf.sourceforge.net/devel/sminola _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user