nanog mailing list archives
Re: Dynamic routing on firewalls.
From: Patrick Tracanelli <eksffa () freebsdbrasil com br>
Date: Mon, 9 Feb 2015 13:47:10 -0200
On 09/02/2015, at 13:25, Valdis.Kletnieks () vt edu wrote: On Mon, 09 Feb 2015 12:56:37 -0200, Patrick Tracanelli said:On 09/02/2015, at 12:14, Valdis.Kletnieks () vt edu wrote: On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:On a bridged firewall you can have the behavior you want, whatever it is. Passing packets with firewall is down, but the box still up.Owen's point is that passing packets if the firewall is down is really poor security-wise. If you run in that configuration, I simply DoS your firewall (probably from one set of IP addresses), and then once it has fallen over and is being bypassed, I send my *real* malicious traffic from some other IP address, totally uninspected and unhindered. Much hilarity, hijinks, and pwnage ensues.Hello Valdis, If this is really the point, I don’t know what system you are talking aboutThe one *you* mentioned - "passing packets with firewall is down". Owen was pointing out that is a silly configuration:
An explicit decision regarding bypass ports, as I mentioned if someone does not want a redundant approach and doesn’t want availability issues if power is down or system is overloaded. Not an inherit behavior or a must. Not related to being L2 our L3. Just a mentioned possibility. Not a limitation, not a recommendation. In the previous e-mail I mentioned “whatever option you want” upon failure, traffic still flowing, traffic bypassed, traffic dropped, L2+STP redundancy, no redundancy at all. So please don’t refer to one single option and pointing it as a failure of the methodology nature if you consider a decision/project error, and in this case just do it the other way, opting out from bypass and dropping or failing over, upon exhaustion or failure. Back to the point, doesn’t have to be different or limited from what you get in L3 firewalling.
On 08/02/2015, at 22:48, Owen DeLong <owen () delong com> wrote:Technically true, but bridged firewalls are pretty much passe these days in the real world. As a general rule, when the firewall is shut down, one usually doesn’t want the packets flowing past un-hindered. The fact that this is kind of the default of what happens with bridged firewalls is just one of the many reasons hardly anyone still uses such a thing.
-- Patrick Tracanelli FreeBSD Brasil LTDA. Tel.: (31) 3516-0800 316601 () sip freebsdbrasil com br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!"
Current thread:
- Re: Dynamic routing on firewalls., (continued)
- Re: Dynamic routing on firewalls. BPNoC Group (Feb 08)
- Re: Dynamic routing on firewalls. Owen DeLong (Feb 08)
- Re: Dynamic routing on firewalls. Rich Kulawiec (Feb 09)
- Re: Dynamic routing on firewalls. Eugeniu Patrascu (Feb 09)
- Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 08)
- Re: Dynamic routing on firewalls. Owen DeLong (Feb 08)
- Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)
- Re: Dynamic routing on firewalls. Valdis . Kletnieks (Feb 09)
- Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)
- Re: Dynamic routing on firewalls. Valdis . Kletnieks (Feb 09)
- Re: Dynamic routing on firewalls. Patrick Tracanelli (Feb 09)
- RE: Dynamic routing on firewalls. Tony Wicks (Feb 08)