Firewall Wizards mailing list archives
Re: OSPF on Firewall
From: Carson Gaspar <carson () taltos org>
Date: Wed, 17 Dec 2003 19:21:11 -0500
One standard solution is to use BGP between the routers, and permit the TCP port through the firewall.
For the several folks who have expressed the opinion "why on earth would you want to do that!?", I have a standard example. You have leased lines to a partner company. For BCP reasons, you have them installed in multiple diverse geographic locations. You need to automatically use the backup circuit if the primary is down, or if the building the primary is in blows up. In order to handle the "building blows up" case, you really need to advertise dynamic routes internally. The easiest way to do this is to have the router (VPN endpoint, whatever) advertise the route, via the firewall, to the internal network. Yes, you want to do route filtering on the internal router (or the firewall), as the external router is exposed to attack.
Of course, doing this requires one of: - a firewall that can do remote state sharing - a stateless firewall- forced symmetric routes, and an acceptance that existing connections will die when a failure occurs.
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: OSPF on Firewall pedski (Jan 01)
- <Possible follow-ups>
- Re: OSPF on Firewall Carson Gaspar (Jan 01)