Firewall Wizards mailing list archives

Re: strange firewall setup

From: Robert Graham <robert_david_graham () yahoo com>
Date: Mon, 12 Jul 1999 20:38:10 -0700 (PDT)

The configuration you describe is common. The error you have 
is the assumption that the adapter configuration is used for
all routing purposes on the local segment.

In order to explain how this works, let's remove
"firewalling" from the equation and assume the FW-1
box is just another router. Let's assume a configuration
like the following:

Mask of 255.255.252.0 for everyone, IP addresses used
for demonstration purposes an are assumed to be Internet
routable (even though we use private addresses).

     /~~~~~~\
    {INTERNET}
     \~~~~~~/
        |
+-------+-------+
|  192.168.0.1  | if(1)
|               |
|               | Router#A
|               |
|  192.168.0.2  | if(2)
+-------+-------+
        |
        |
+---------------+
|  192.168.0.3  | if(1)
|               |
|               | Router#B
|               |
|  192.168.0.4  | if(2)
+-------+-------+
        |
        |
     /~~~~~~\
    {internal}
     \~~~~~~/


Q: How the heck to the packets get routed?
A: Manual ROUTEs or Proxy ARP.


Explanation: Manual routing

The original question assumed all dynamic routing, as 
maintained by everyone's NIC configuration and routing
protocol. However, most Internet connection points like
this use MANUAL routing. Using MANUAL, rather than DYNAMIC
routing, something like this is easy. I do it all the time
in lab environments in order to make more interesting 
routes for my packets to follow.

In the manual route scenario, Router#A has the route
table:
===========================================================================
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         INTERNET     192.168.0.1       1
      192.168.0.0    255.255.252.0      192.168.0.3     192.168.0.2       1
===========================================================================
Translation: "Pass all INTERNET traffic out to the Internet, and
pass all internal traffic to Router#B who is located on the segment
off if(2)".

Router#B has the configuration.
===========================================================================
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.2     192.168.0.3       1
      192.168.0.0    255.255.252.0      192.168.0.4     192.168.0.4       1
===========================================================================
The interpretation is "Pass all INTERNET traffic out to Router#A
located off my own if(1), pass all internal traffic out my own if(2)"

This may lead to some weirdness; with these routing tables, you can't
ping Router#1 from the internal network, because Router#2 doesn't know 
how to route those packets.

Note carefully the configuration (assuming I got it right). Inbound
traffic is configured on Router#A to go to Router#B, but inbound
traffic on #B is configured to go #B. Why? Once it gets sent to 
the adapter, THEN the default routing of comparing against the
address mask is used. This is the sticky point in the original query,
which assumed the adapter configuration of address/mask was always
used. In this sample, it is only used once by Router#B when forwarding
packets destined for the Internal network.

DISCLAIMER: I've probably made an error in the above routing tables
(as they were typed in by hand). I fixed one already that was totally
wrong, even after double checking it.

Explanation: Proxy ARP

Another solution to this problem would be Proxy ARP. In this case,
Router#1 will receive incoming packets and ARP the end-nodes.
Router#2 responds to all ARPs with its own MAC address, so Router#1
forwards the packets to Router#2, thinking it is a single end-node
with hundreds of IP addresses. Router#2 then routes accordingly.
Proxy ARPs can work in the reverse direction as well.

Proxy ARPs work because there is conceptually no difference between
receiving a frame for routing and receiving a frame destined to
yourself. This is why you see that all end-nodes (like
WinNT, Linux, etc.) have routing capabilities built-in, because
all TCP/IP stacks are routers anyway.

Hope this helps,
Rob.



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Current thread:

strange firewall setup Arc Angel (Jul 12)
- RE: strange firewall setup Thomas Crowe (Jul 13)
- Re: strange firewall setup Bill Pennington (Jul 13)
- <Possible follow-ups>
- RE: strange firewall setup Martijn Berlage (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 13)
- RE: strange firewall setup LeGrow, Matt (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 15)