Firewall Wizards mailing list archives
RE: Firewall routing thought...
From: "Ben Nagy" <ben () iagu net>
Date: Thu, 8 Jul 2004 17:19:45 +0200
-----Original Message----- [...] From: Gwendolynn ferch Elydyr
[...]
On Fri, 2 Jul 2004, Eric Appelboom wrote:If one has firewall A with external ip on the same subnetas firewall B.How common is the practice of adding static routes onfirewall A forThe networks protected by firewall B and the other way round.
[...]
First of all, it's not likely to improve your latency or overhead. The packets are still going to be seen by the router.
I don't think that's right, unless I've misunderstood the environment description. If hosts A and B are firewalls and C is a router on the same subnet, which is also the default route for A and B then traffic from A to the network _behind_ B will be sent to C to route. C will probably also send an ICMP redirect to tell A to route through B. This new route will stick around for a while in some protocol, not at all for others. With a static route, A will send traffic for Net_Behind_B straight to B. That's better.
Secondly, you've now added complexity to your network in the form of a bunch of static routes in different places, all of which need to be maintained - and almost certainly won't be, until some changes breaks things. "a tad messy" is almost always a signal to run away screaming. That's code for "unmaintainable" and "all-nighters".
I quite like this document. Mainly for the Southpark references, I think. http://www.qorbit.net/documents/icmp-redirects-are-bad.htm I'm not much of a fan of the maintainability of static routes either, though. Basically, you may choose your poison. A third poison you didn't mention is dynamic routing, which fixes the routing optimisation _and_ the manageability. Sadly it totally _screws_ the security, so as poisons go it's pretty...um...poisonous. Cheers, ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall routing thought... Eric Appelboom (Jul 06)
- Re: Firewall routing thought... Gwendolynn ferch Elydyr (Jul 08)
- RE: Firewall routing thought... Ben Nagy (Jul 08)
- Re: Firewall routing thought... Ng Pheng Siong (Jul 09)
- Re: Firewall routing thought... Ng Pheng Siong (Jul 08)
- Re: Firewall routing thought... Devdas Bhagat (Jul 08)
- Re: Firewall routing thought... Ng Pheng Siong (Jul 13)
- Multiple separate Ethernet switches in a single chassis? Brent Chapman (Jul 08)
- RE: Firewall routing thought... Ben Nagy (Jul 08)
- <Possible follow-ups>
- Re: Firewall routing thought... Dana Nowell (Jul 08)
- Re: Firewall routing thought... Gwendolynn ferch Elydyr (Jul 08)
- Re: Firewall routing thought... Mark (Jul 09)
- Re: Firewall routing thought... Gwendolynn ferch Elydyr (Jul 08)
- Re: Firewall routing thought... Gwendolynn ferch Elydyr (Jul 08)