Re: Say it ain't so

["Paul D. Robertson" <proberts () clark net>]

On Wed, 17 Sep 1997, Jim Leo wrote:

> installation/Firewall) and was told that every device behind the 
> firewall would have to 'be touched' for anything to work. It almost 
> sounds like a complete rework of the network setup/standard. We were 
> told that all IP addresses would have to be changed. Somehow I get 
> the impression that this is the installers idea, and I'm not quite 
> willing to by into it. I feel that it should be possible to 'plug-in' 
> any properly configured firewall (with the exception of the proxies) 
> and not have to reconfigure machines. 
>       Am I wrong?

Probably not.  If you're using illegal IP addresses behind the firewall 
though, you __really__ should re-number your machines and do things 
properly, this is likely your best chance to do so.  Also, if you're 
using CIDR-type subnet masks, and the firewall has an OS version which won't route 
classlessly, then if you don't have an inside screening router, you'll have to 
re-address to fit classful subnet boundries.  Lastly, if the new security 
architecture has some different rules for different machines there may be 
some method to re-numbering.

I'd advise going to an IP address management scheme like BOOTP, or DHCP 
if you're going to renumber.  It makes things a great deal easier in the 
long run.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280