[plug] Parallel linkups.

Wed Jun 23 12:20:04 WST 2004

On Wednesday 23 June 2004 11:08, Craig Ringer wrote:
> Bernd Felsche wrote:
> > What tools are available to facilitate this sort of connection
> > routing? And I don't want to hear the word "Cisco" mentioned. :-)

> This will provide some of the info you'd need to do it the iproute2 +
> iptables route.

> http://www.linuxguruz.com/iptables/howto/2.4routing-15.html

Thanks... that looks somewhat useful. It'll take me a few hours to
grok that...

> As for the VPN side, ipsec comes to mind as the "proper" way, but there
> may well be simpler methods around.

It's not quite "straight-forward", configuration wise.

  (Inet)---(HQ-FWall)+-(HQ-Main)
	     |	     |
	     |	     +-(HQ-LAN)
	     |	     |
	     |	     +-(Cisco) - (WAN)
	     |			   |
	     |			[ATM cloud]
	   (VPN)		   |
	     |	     +-(Cisco) - (WAN)
	     |	     |
	     |	     +-(Branch LAN)
	     |	     |
	     |	     +-(Branch-Server)
	     |			|
	     |		(IP tables)
	     |			|
  (Inet)--(BranchFW)------------+

One of the things I'll probably have to do is to beat some sense
into the Cisco gear. The Cisco routers are used as the default
routers; though each of the Linux servers uses DHCP to publish
something more reasonable... for network clients that can be
bothered. <sigh>

The Internet shouldn't be directly accessible from any branch office
either. There's content filtering done at the HQ firewall's
transparent http proxy; mainly for virus screening. Similarly,
incoming and outbound email is also screened for viruses. Only
a limited number of hosts are allowed direct, outbound SMTP; usually
for EDI.

-- 
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ /  ASCII ribbon campaign | I'm a .signature virus!
 X   against HTML mail     | Copy me into your ~/.signature
/ \  and postings          | to help me spread!