Status of Bugzilla #1153
Darren Tucker
dtucker at zip.com.au
Wed Feb 22 07:41:36 EST 2006
Simon Vallet wrote:
> OK, I understand this is a legitimate concern, however you might want
> to check the routing behaviour on your bastion host : I personally don't
> see any reason why only one interface of the bastion would be reachable
> from the trusted side -- we're not talking about forwarding packets to
> an untrusted zone, of course.
I think you're missing the point: there may be *no* route to the
external interface's address at all. I've seen networks where there was
no default route and all traffic in and out was via bastion hosts.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list