Firewall Wizards mailing list archives

Re: Firewall-1 and Frame relay interfaces

From: "Crist Clark" <crist.clark () globalstar com>
Date: Tue, 05 Jun 2001 10:06:12 -0700

"Dawes, Rogan (ZA - Johannesburg)" wrote:

[snip]

I was thinking that it would be a lot simpler to have a firewall device
(Nokia or Sun) with a frame relay interface. The individual PVCs would
connect to the firewall over the single (electrical) connection, but the
firewall would treat them as separate interfaces. Then the firewall can
control any traffic between interfaces. This seems to remove an enormous
amount of complexity (routers, QFE's, etc), with no downside.

However, I have been informed that the Nokia boxen (and Sun, it seems) will
do the routing first, and if the packet is to go out of the same interface,
will transmit it immediately out the interface without it passing through
the firewall rulebase.  To me though, the different frame relay PVC's are
different interfaces!

Can anyone confirm or deny this?  I would hate to have to go with the
complex solution for nothing.


Are we still talking about FW-1? FW-1 does do the routing calculation
first. This is extremely annoying. However, the packet still goes through 
the firewall rules. This only becomes an issue when the destination address
of the packet changes somewhere in the firewall processing, i.e. when you
are doing NAT.

So, yes, routing is done first in FW-1, but no, the packet does not go
out an interface without first passing through the ruleset. At least,
that's what the docs say.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Firewall-1 and Frame relay interfaces Dawes, Rogan (ZA - Johannesburg) (Jun 04)
- Re: Firewall-1 and Frame relay interfaces Crist Clark (Jun 05)
- Re: Firewall-1 and Frame relay interfaces Ryan Russell (Jun 05)
- <Possible follow-ups>
- RE: Firewall-1 and Frame relay interfaces Dawes, Rogan (ZA - Johannesburg) (Jun 06)