Firewall Wizards mailing list archives
Re: strange firewall setup
From: Robert Graham <robert_david_graham () yahoo com>
Date: Mon, 12 Jul 1999 20:38:10 -0700 (PDT)
The configuration you describe is common. The error you have is the assumption that the adapter configuration is used for all routing purposes on the local segment. In order to explain how this works, let's remove "firewalling" from the equation and assume the FW-1 box is just another router. Let's assume a configuration like the following: Mask of 255.255.252.0 for everyone, IP addresses used for demonstration purposes an are assumed to be Internet routable (even though we use private addresses). /~~~~~~\ {INTERNET} \~~~~~~/ | +-------+-------+ | 192.168.0.1 | if(1) | | | | Router#A | | | 192.168.0.2 | if(2) +-------+-------+ | | +---------------+ | 192.168.0.3 | if(1) | | | | Router#B | | | 192.168.0.4 | if(2) +-------+-------+ | | /~~~~~~\ {internal} \~~~~~~/ Q: How the heck to the packets get routed? A: Manual ROUTEs or Proxy ARP. Explanation: Manual routing The original question assumed all dynamic routing, as maintained by everyone's NIC configuration and routing protocol. However, most Internet connection points like this use MANUAL routing. Using MANUAL, rather than DYNAMIC routing, something like this is easy. I do it all the time in lab environments in order to make more interesting routes for my packets to follow. In the manual route scenario, Router#A has the route table: =========================================================================== Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 INTERNET 192.168.0.1 1 192.168.0.0 255.255.252.0 192.168.0.3 192.168.0.2 1 =========================================================================== Translation: "Pass all INTERNET traffic out to the Internet, and pass all internal traffic to Router#B who is located on the segment off if(2)". Router#B has the configuration. =========================================================================== Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.2 192.168.0.3 1 192.168.0.0 255.255.252.0 192.168.0.4 192.168.0.4 1 =========================================================================== The interpretation is "Pass all INTERNET traffic out to Router#A located off my own if(1), pass all internal traffic out my own if(2)" This may lead to some weirdness; with these routing tables, you can't ping Router#1 from the internal network, because Router#2 doesn't know how to route those packets. Note carefully the configuration (assuming I got it right). Inbound traffic is configured on Router#A to go to Router#B, but inbound traffic on #B is configured to go #B. Why? Once it gets sent to the adapter, THEN the default routing of comparing against the address mask is used. This is the sticky point in the original query, which assumed the adapter configuration of address/mask was always used. In this sample, it is only used once by Router#B when forwarding packets destined for the Internal network. DISCLAIMER: I've probably made an error in the above routing tables (as they were typed in by hand). I fixed one already that was totally wrong, even after double checking it. Explanation: Proxy ARP Another solution to this problem would be Proxy ARP. In this case, Router#1 will receive incoming packets and ARP the end-nodes. Router#2 responds to all ARPs with its own MAC address, so Router#1 forwards the packets to Router#2, thinking it is a single end-node with hundreds of IP addresses. Router#2 then routes accordingly. Proxy ARPs can work in the reverse direction as well. Proxy ARPs work because there is conceptually no difference between receiving a frame for routing and receiving a frame destined to yourself. This is why you see that all end-nodes (like WinNT, Linux, etc.) have routing capabilities built-in, because all TCP/IP stacks are routers anyway. Hope this helps, Rob. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- strange firewall setup Arc Angel (Jul 12)
- RE: strange firewall setup Thomas Crowe (Jul 13)
- Re: strange firewall setup Bill Pennington (Jul 13)
- <Possible follow-ups>
- RE: strange firewall setup Martijn Berlage (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 13)
- RE: strange firewall setup LeGrow, Matt (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 15)