Re: Dynamic routing on firewalls.

[Valdis.Kletnieks () vt edu]

On Mon, 09 Feb 2015 12:56:37 -0200, Patrick Tracanelli said:
> > On 09/02/2015, at 12:14, Valdis.Kletnieks () vt edu wrote:
> > On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:
> > > On a bridged firewall you can have the behavior you want, whatever it is. Passing packets with firewall is down, 
> > > but the box still up.
> >
> > Owen's point is that passing packets if the firewall is down is really poor
> > security-wise.   If you run in that configuration, I simply DoS your firewall
> > (probably from one set of IP addresses), and then once it has fallen over and
> > is being bypassed, I send my *real* malicious traffic from some other IP
> > address, totally uninspected and unhindered.  Much hilarity, hijinks, and
> > pwnage ensues.
>
> Hello Valdis,
>
> If this is really the point, I don’t know what system you are talking about

The one *you* mentioned - "passing packets with firewall is down".  Owen
was pointing out that is a silly configuration:

On 08/02/2015, at 22:48, Owen DeLong <owen () delong com> wrote:
> Technically true, but bridged firewalls are pretty much passe these days in the
> real world. As a general rule, when the firewall is shut down, one usually
> doesn’t want the packets flowing past un-hindered. The fact that this is kind
> of the default of what happens with bridged firewalls is just one of the many
> reasons hardly anyone still uses such a thing.

Attachment: _bin
Description: