nanog mailing list archives

Re: Dynamic routing on firewalls.

From: Patrick Tracanelli <eksffa () freebsdbrasil com br>
Date: Mon, 9 Feb 2015 13:47:10 -0200

On 09/02/2015, at 13:25, Valdis.Kletnieks () vt edu wrote:

On Mon, 09 Feb 2015 12:56:37 -0200, Patrick Tracanelli said:

On 09/02/2015, at 12:14, Valdis.Kletnieks () vt edu wrote:
On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:

On a bridged firewall you can have the behavior you want, whatever it is. Passing packets with firewall is down, 
but the box still up.


Owen's point is that passing packets if the firewall is down is really poor
security-wise.   If you run in that configuration, I simply DoS your firewall
(probably from one set of IP addresses), and then once it has fallen over and
is being bypassed, I send my *real* malicious traffic from some other IP
address, totally uninspected and unhindered.  Much hilarity, hijinks, and
pwnage ensues.


Hello Valdis,

If this is really the point, I don’t know what system you are talking about


The one *you* mentioned - "passing packets with firewall is down".  Owen
was pointing out that is a silly configuration:


An explicit decision regarding bypass ports, as I mentioned if someone does not want a redundant approach and doesn’t 
want availability issues if power is down or system is overloaded.

Not an inherit behavior or a must. Not related to being L2 our L3. Just a mentioned possibility. Not a limitation, not 
a recommendation. In the previous e-mail I mentioned “whatever option you want” upon failure, traffic still flowing, 
traffic bypassed, traffic dropped, L2+STP redundancy, no redundancy at all. So please don’t refer to one single option 
and pointing it as a failure of the methodology nature if you consider a decision/project error, and in this case just 
do it the other way, opting out from bypass and dropping or failing over, upon exhaustion or failure. Back to the 
point, doesn’t have to be different or limited from what you get in L3 firewalling.


On 08/02/2015, at 22:48, Owen DeLong <owen () delong com> wrote:

Technically true, but bridged firewalls are pretty much passe these days in the
real world. As a general rule, when the firewall is shut down, one usually
doesn’t want the packets flowing past un-hindered. The fact that this is kind
of the default of what happens with bridged firewalls is just one of the many
reasons hardly anyone still uses such a thing.


--
Patrick Tracanelli

FreeBSD Brasil LTDA.
Tel.: (31) 3516-0800
316601 () sip freebsdbrasil com br
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"

Current thread:

Re: Dynamic routing on firewalls., (continued)
- - - Re: Dynamic routing on firewalls. BPNoC Group (Feb 08)
    - Re: Dynamic routing on firewalls. Owen DeLong (Feb 08)
    - Re: Dynamic routing on firewalls. Rich Kulawiec (Feb 09)
    - Re: Dynamic routing on firewalls. Eugeniu Patrascu (Feb 09)
    - Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 08)
    - Re: Dynamic routing on firewalls. Owen DeLong (Feb 08)
    - Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)
    - Re: Dynamic routing on firewalls. Valdis . Kletnieks (Feb 09)
    - Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)
    - Re: Dynamic routing on firewalls. Valdis . Kletnieks (Feb 09)
    - Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)
  - Re: Dynamic routing on firewalls. Nicholas Oas (Feb 05)
- Re: Dynamic routing on firewalls. Craig (Feb 08)
  - RE: Dynamic routing on firewalls. Tony Wicks (Feb 08)