On Thu, 12 Nov 1998, Ronald Khoo wrote:

: This is precisely what a strong ended system is intended to do.
: The idea is that a box may have interfaces on both `green'
: and `amber' security zones, and present different services
: to each (using different local address binding in inetd).
: 
: Making the system `strong ended' would, in addition,
: prevent clients in the `green' zone accessing resources
: made only available on the `amber' zone address, and
: vice versa.

Then why not just use ipf and eliminate all of the workarounds of
workarounds?

pass in quick on ne0 from any to 1.2.3.4
block in quick on ne0 all
pass in quick on ne1 from any to 4.3.2.1
block in quick on ne1 all

And we're done.  (Did I miss something?)

-- 
-- Todd Vierling (Personal tv@pobox.com; Bus. todd_vierling@xn.xerox.com)