Firewall Wizards mailing list archives
Re: null routes and VPN's
From: "Lord Sporkton" <lordsporkton () gmail com>
Date: Tue, 20 May 2008 14:22:09 -0700
2008/5/20 Kerry Milestone <km4 () sanger ac uk>:
Hello, is it a wise idea to put a default route on the inside (trusted) side of a firewall with a high metric for when a VPN drops. Essentially, blackholing all traffic until the VPN comes back and the default route is again the end of the VPN? Assuming there is a rule on the outside which allows only VPN traffic from the other end (point to point and only traffic allowed through the VPN) should both ends of the VPN have null routes for when its down ( for traffic within the VLAN for this VPN)? What would be the implementation side affects, something along the lines of once the VPN is up its a matter of timeout on the routing protocol (say OSPF) to propagate the default route? Should a modernish firewall do this automagically anyway?? Cheers, Kerry. -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
I had a little trouble understanding your question, however i will say this. There should be high weight black hole route for any given gateway, be that gateway a default route, a lan interface, or a vpn, this is good for many reasons. 1) it keeps down loop traffic, and reduces routing load in an already compromised situation. 2) if used for a vpn it keeps you from spewing private traffic out an unprotected or public link i have only seen a few implementations where a vpn could use a black hole route if your using an ipsec tunnel you dont have a real route to blackhole, all you have is an interesting traffic filter if your using a gre tunnel this might work if your using mpls(or its siblings) this might work but im not sure if its more trouble than its worth just my 2cents -- -Lawrence _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Auditing a firewall rulebase arvind doraiswamy (May 19)
- Re: Auditing a firewall rulebase Darden, Patrick S. (May 20)
- Re: Auditing a firewall rulebase Chuck Benson (May 27)
- Re: Auditing a firewall rulebase kevin horvath (May 20)
- null routes and VPN's Kerry Milestone (May 20)
- Re: null routes and VPN's Lord Sporkton (May 27)
- Re: Auditing a firewall rulebase Lord Sporkton (May 20)
- Re: Auditing a firewall rulebase R. DuFresne (May 27)
- Re: Auditing a firewall rulebase Paul Melson (May 20)
- Re: Auditing a firewall rulebase Darden, Patrick S. (May 20)