[masraum]

Thanks. I'm going to try to sell the proxy. As soon as it was mentioned I had a head-slap moment. Several times I've gotten requests to setup static NAT and open holes from the internet to servers that aren't on the DMZs, and I always tell them "no way in hell". It only makes sense. Never have traffic go from the internet to the inside. Traffic should always go from inside to DMZ or outside to DMZ, but never inside to outside. It never clicked that we've got 2500 idiots with admin access doing whatever they want from the inside to the outside. Makes me shudder just to think about it.