The routing asymmetry is too grim otherwise. Consider:
* ibanez and vampire are both on dmz and unsafe;
* vampire is a router on dmz, unsafe, and vpn, while ibanez is not a
router;
* crybaby is on vpn;
* crybaby attempts to connect to ibanez.dmz.
Now ibanez will respond with its dmz address as the source, and
crybaby's vpn address as the destination. Based on the destination, it
will choose to route the packet over the unsafe network. We must
therefore let vampire know that this is a possibility.
Similarly, ibanez must be prepared to allow packets from unsafe
on its dmz interface because it's not a router: hence, to reach their
destination, they'll have to be pushed over dmz by a router.
It's therefore inevitable that we must abandon separation between these
two networks (or start fiddling with policy routing, which just seems
like more pain than it's worth).
~mdw / firewall / commitdiff