From: Olaf W. <wei...@ip...> - 2009-01-24 15:44:44
|
Robert Kerr wrote: > In general the basics seem sound, but it doesn't seem to cover the > restrictions between zones/interfaces? Also though it says orange will > be separate I'm not clear what the restrictions will be there either. At > the minute orange allows all to the internet but nothing to ipcops > services which doesn't seem to fit neatly into the open/half-open/closed > definition? --> Orange will not have the half-open policy, the DMZ is completely seperated from IPCop and green, blue. Yes it makes it somewhat different from green and blue and yes I know this is a trade off, but is the best approach for a DMZ if you ask me. Currently in 1.4 we have no restrictions for green -> blue+orange and for blue -> orange. We can either follow the same principle or (my personal favorite) have these restrictions between interfaces configurable on the same page where the policy is defined. > I guess there's also the question of how much a basic user has to think > about? are there sane defaults similar to an existing IPCop install or > are we forcing the user to choose a value for all these settings. IMHO the defaults should be as close as possible to IPCop 1.4 behavior. Which would be this: - green selected as maintenance network (https and ssh) - green is open (full access to internet, access to IPCop services) - green can access blue and orange - blue is open with "Blue access" activated (full access to internet, access to IPCop services) - blue can access orange - orange is open (full access to internet) Olaf -- A weizen a day helps keep the doctor away. |