Firewall Wizards mailing list archives

Re: strange firewall setup

From: Robert Graham <robert_david_graham () yahoo com>
Date: Wed, 14 Jul 1999 14:44:00 -0700 (PDT)

--- Security Administrator <security () kokoro com> wrote:

1) WHY would you ever have such a setup in a non-experimental environment?


There are too many reasons to go in depth here. I would like to stress that
this is the "normal" configuration (though not the most common). What you see
is really just a "subset" of this configuration. I.e. The default route of
0.0.0.0 is really a subset of other routes.

What is the advantage over having just the one router that has an internal
& external iface??


Lots of reasons. One is better security: most people put some simple obvious
rules on their router into their DMZ, and then more complicated rules on the
real firewall between the DMZ and the corporation. However, the most common
reason is that routers support the incoming line: T1, DS3, Frame Relay, X.25,
modem banks, DSL, etc. Most firewalls don't. Therefore, you need the router for
pure connectivity reasons, then you need the firewall connected via Ethernet
for filtering reasons.

2) I don't understand the last part, where Router B sends packets destined
to the internal network to its own iface2.  Wouldn't this create an
infinite loop?  e.g.


This is just a fictional configuration that doesn't really mean anything. It
doesn't send it to its interface.

Of the "GATEWAY" parameter is specified, then generally the router will ARP the
gateway, then send the packet across the network to that machine. If no gateway
is specified, then it means the system uses some other mechanism to determine
the next hop, such as looking at its routing table or ARPing the destination. I
appologize, I simply copied/pasted the routing table from my local Windows
machine, which uses that notation. Other systems use a more intelligent
notation. 

On UNIX and Windows you can use the ROUTE command to view this information, and
configure the systems to replicate this scenario.

Rob.

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Current thread:

strange firewall setup Arc Angel (Jul 12)
- RE: strange firewall setup Thomas Crowe (Jul 13)
- Re: strange firewall setup Bill Pennington (Jul 13)
- <Possible follow-ups>
- RE: strange firewall setup Martijn Berlage (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 13)
- RE: strange firewall setup LeGrow, Matt (Jul 13)
- Re: strange firewall setup Robert Graham (Jul 15)