-----BEGIN PGP SIGNED MESSAGE-----


    SCI> I have been running NetBSD for a while now as my firewall. Finally
    SCI> the time has come to enhance the firewall to provide for a DMZ.  I

  First, you have a problem with terminology.

  The term DMZ originally meant the wire between your firewall and your
border router - the place that you didn't control, nor did the opposition.
  Raptor/Axent/etc, when they added support for a third interface, decided to
abuse the term and call it the "DMZ", and then Checkpoint, who had an equal
lack of clue, adopted it.

  The historial term for what I think that you want, is a "service" network -
a place for servers which are visible to the outside world.

  In general, one builds that network with routable addresses. If you only
have one address, then I recommend getting more. Or find switch ISPs.
I'm serious here.

  If you are just building another network that you are going to NAT things
to, then, well... what's the question?

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPgTVfIqHRg3pndX9AQHSjAQAx06cHIbDkhXulUOarDqmV5y6VLlZubPR
ca9rN9bxLo8Wy6QzA5Eqs3jBejHSyHeQJ63QhtwvM7tDbGJSw3BBbRBqkQ48xBcb
4A9a7mOj6AMvbof9S+aq58akpK/lvfIRyiDqV/16Mx00IUSV1WCacEQp8cK/ND7Q
wVjnMOfmbM4=
=QLNp
-----END PGP SIGNATURE-----