Firewall Wizards mailing list archives
Re: Firewall-1 and Frame relay interfaces
From: "Crist Clark" <crist.clark () globalstar com>
Date: Tue, 05 Jun 2001 10:06:12 -0700
"Dawes, Rogan (ZA - Johannesburg)" wrote: [snip]
I was thinking that it would be a lot simpler to have a firewall device (Nokia or Sun) with a frame relay interface. The individual PVCs would connect to the firewall over the single (electrical) connection, but the firewall would treat them as separate interfaces. Then the firewall can control any traffic between interfaces. This seems to remove an enormous amount of complexity (routers, QFE's, etc), with no downside. However, I have been informed that the Nokia boxen (and Sun, it seems) will do the routing first, and if the packet is to go out of the same interface, will transmit it immediately out the interface without it passing through the firewall rulebase. To me though, the different frame relay PVC's are different interfaces! Can anyone confirm or deny this? I would hate to have to go with the complex solution for nothing.
Are we still talking about FW-1? FW-1 does do the routing calculation first. This is extremely annoying. However, the packet still goes through the firewall rules. This only becomes an issue when the destination address of the packet changes somewhere in the firewall processing, i.e. when you are doing NAT. So, yes, routing is done first in FW-1, but no, the packet does not go out an interface without first passing through the ruleset. At least, that's what the docs say. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall-1 and Frame relay interfaces Dawes, Rogan (ZA - Johannesburg) (Jun 04)
- Re: Firewall-1 and Frame relay interfaces Crist Clark (Jun 05)
- Re: Firewall-1 and Frame relay interfaces Ryan Russell (Jun 05)
- <Possible follow-ups>
- RE: Firewall-1 and Frame relay interfaces Dawes, Rogan (ZA - Johannesburg) (Jun 06)