Firewall Wizards mailing list archives
Re: strange firewall setup
From: Robert Graham <robert_david_graham () yahoo com>
Date: Wed, 14 Jul 1999 14:44:00 -0700 (PDT)
--- Security Administrator <security () kokoro com> wrote:
1) WHY would you ever have such a setup in a non-experimental environment?
There are too many reasons to go in depth here. I would like to stress that this is the "normal" configuration (though not the most common). What you see is really just a "subset" of this configuration. I.e. The default route of 0.0.0.0 is really a subset of other routes.
What is the advantage over having just the one router that has an internal & external iface??
Lots of reasons. One is better security: most people put some simple obvious rules on their router into their DMZ, and then more complicated rules on the real firewall between the DMZ and the corporation. However, the most common reason is that routers support the incoming line: T1, DS3, Frame Relay, X.25, modem banks, DSL, etc. Most firewalls don't. Therefore, you need the router for pure connectivity reasons, then you need the firewall connected via Ethernet for filtering reasons.
2) I don't understand the last part, where Router B sends packets destined to the internal network to its own iface2. Wouldn't this create an infinite loop? e.g.
This is just a fictional configuration that doesn't really mean anything. It doesn't send it to its interface. Of the "GATEWAY" parameter is specified, then generally the router will ARP the gateway, then send the packet across the network to that machine. If no gateway is specified, then it means the system uses some other mechanism to determine the next hop, such as looking at its routing table or ARPing the destination. I appologize, I simply copied/pasted the routing table from my local Windows machine, which uses that notation. Other systems use a more intelligent notation. On UNIX and Windows you can use the ROUTE command to view this information, and configure the systems to replicate this scenario. Rob. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- strange firewall setup Arc Angel (Jul 12)
- RE: strange firewall setup Thomas Crowe (Jul 13)
- Re: strange firewall setup Bill Pennington (Jul 13)
- <Possible follow-ups>
- RE: strange firewall setup Martijn Berlage (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 13)
- RE: strange firewall setup LeGrow, Matt (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 15)