No subject

subnet architecture is recommended, and defence in depth via simply
configured, minimal service available machines is better.  And yes,
limited-service, specific-purpose machines are FAR easier to firewall.

The point of OCLUG's list is to help people, not to establish Alpha Nerd
status.  We have to help confused newbies in managable steps, just like
you learned addition in primary school and calculus in high school.  If
your calculus teacher showed up to answer questions in your grade one
addition class, many of the students would end up confused and abandoning
school.  Questions have to be answered in context appropriate to the level
of the questioner, not the person offering an answer.

The original poster did ask some pretty specific questions, but the
questions taken as a whole indicated the poster's level of knowledge was
pretty basic and inexperienced.  From that it is easy to guess that they
weren't from the CSIS information security team, rather a person looking
to take their first steps towards securing a Linux environment.  Learning
(and I mean learning, not copying existing scripts) a packet filter syntax
and understanding all the protocols you are filtering is a HUGE task, and
adding architectural complexity to someone's first exercise is a
mistake.  Small steps, tesing, re-inforcement leads to the kind of
knowledge that Alex and you have.

Trying to take a first time newbie and implement a multi-platform,
multi-architecture (bastion host iptables + DMZ + internal screening host
ipchains) in answer to a newbie's question is inappropriate and of
doubtful value.  Technically right, but situationally WRONG.

Sometimes you have to consider context when answering a question, not the
specific issues raised.

-- 
Bill Strosberg
-----------------------------------------
bill -dot- strosberg -at- rcpsc -dot- edu