Status of Bugzilla #1153
Simon Vallet
svallet at genoscope.cns.fr
Wed Feb 22 08:28:10 EST 2006
On Wed, Feb 22, 2006 at 07:41:36AM +1100, Darren Tucker wrote:
> Simon Vallet wrote:
> > OK, I understand this is a legitimate concern, however you might want
> > to check the routing behaviour on your bastion host : I personally don't
> > see any reason why only one interface of the bastion would be reachable
> > from the trusted side -- we're not talking about forwarding packets to
> > an untrusted zone, of course.
>
> I think you're missing the point: there may be *no* route to the
> external interface's address at all. I've seen networks where there was
> no default route and all traffic in and out was via bastion hosts.
I *definitely* think I'm missing something now ;-) How on earth would you route
every packet destined to the outside through the bastion without specifying
that bastion in a default route (be it static or dynamic) ? Unless you want to
list every block except the one containing the external interface
in your routing tables...
More information about the openssh-unix-dev
mailing list