Firewall Wizards mailing list archives

Re: Firewall routing thought...

From: Mark <firewalladmin () bellsouth net>
Date: Thu, 08 Jul 2004 22:33:21 -0400

I know this might be nit-picking, but routers actually make routing
decisions in software too. They just have software running on "routing"
optimized hardware and in most cases the software is more streamlined
since it is doing less work (no proxies/application layer stuff except
in router/firewall hybrids).

In addition, even though Firewall "A" and Firewall "B" are on the same
subnet, they are only aware of directly attached networks unless routing
protocols (insecure) are used OR static routes are used. In other words,
neither firewall knows about the "inside" network of the other firewall.
That is why the packets go to the default gateway (router) who knows
about the other networks via routing protocol or static entry and then
does the "U-turn" to the appropriate firewall.

If the network really does look like Devdas and Ng Pheng Siong layed
out, then I think it would be worth the trouble to do static routing if
there is any significant traffic between the two networks.

[=o)
Mark

On Thu, 2004-07-08 at 19:17, Gwendolynn ferch Elydyr wrote:

What he's really asking is whether it makes more sense to establish
and maintain [static] routing tables on his firewalls, rather than
set a default route, and let the router sort out what networks are
where.

In terms of performance, almost all firewalls handle routing decisions in
software.  The router handles the same decisions in hardware.  The router
is going to be faster[0].  It's the difference between taking the freeway
or the back roads to a given location, presuming traffic conditions are
clear.

On  Tue, 6 Jul 2004 13:50:18 -0400 (EDT) Gwendolynn ferch Elydyr penned:

On Fri, 2 Jul 2004, Eric Appelboom wrote:

If one has firewall A with external ip on the same subnet as firewall B.
How common is the practice of adding static routes on firewall A for The
networks protected by firewall B and the other way round.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Firewall routing thought... Eric Appelboom (Jul 06)
- Re: Firewall routing thought... Gwendolynn ferch Elydyr (Jul 08)
  - RE: Firewall routing thought... Ben Nagy (Jul 08)
    - Re: Firewall routing thought... Ng Pheng Siong (Jul 09)
  - Re: Firewall routing thought... Ng Pheng Siong (Jul 08)
  - Re: Firewall routing thought... Devdas Bhagat (Jul 08)
    - Re: Firewall routing thought... Ng Pheng Siong (Jul 13)
  - Multiple separate Ethernet switches in a single chassis? Brent Chapman (Jul 08)
- <Possible follow-ups>
- Re: Firewall routing thought... Dana Nowell (Jul 08)
  - Re: Firewall routing thought... Gwendolynn ferch Elydyr (Jul 08)
    - Re: Firewall routing thought... Mark (Jul 09)