Re: Stateful firewalls and dynamic routing question.

thank you for the reply. i'm still a little confused. does a firewall
do physical MAC address translation? i can see where this might be a
problem as the source physical address would change if it came from
another router due to topology change. i'm reading my books but can't
find an answer. it just shows that a firewall looks at the source/dest
IP addresses. sorry, i'm a newbie to networking. thx.

On Oct 15, 5:19 pm, Jeroen Geilman <n...@xxxxxxx> wrote:
abstractclass wrote:
Are stateful firewalls problematic when dynamic routing is used?Explain.
Dynamic routing on the firewall box, or next to it ?

It could be a problem when you run a routing protocol ON the firewall
box, yes, but then I would not advise anyone to do that.
And the main reason that it could be a problem is because a stateful
firewall generally also does address and/or port translation.

For a pure firewall, no problems exist with respect to routing - dynamic
or otherwise.
In fact, that's where packet filtering is most commonly implemented - on
the edge routers (that have to do dynamic routing, in order for you to
surf the 'net.)

I'm
guessing that when the network topology changes while an existing
connection exists in the state table, this would cause problems as the
source IP has the potential of changing and thus causing the existing
connection to drop.Why would the source IP change ?
The one thing IP routing always keeps intact are the source and
destination addresses - it obviously has to, for your traffic to arrive
*at all*.

A TCP/IP network is what's known as a packet-switching network; there
may be temporary virtual circuits but at no time are there physical
connections between remote endpoints - ever.
There is never a direct, fixed connection between any hosts not on the
same physical subnet, which works on a lower layer than IP does.

Methinks you'd be best helped by a quick readup on IP routing, and the
(many) differences between routing and switching.

I am not sure what the solution to this would be.
The only one I can think of is to ensure that the firewall policy
contains all possible source IP addresses for each possible network
topology change? Am I correct at all, or way off?Way off, I'd say :)

J.

.

Relevant Pages

  • Advice for SOHO firewall gear?
    ... I'm planning to expand my home/hobby network from a small gateway-server ... would like advice on firewall gear. ... Firewalled routing from perimeter network to trusted network ... traditional two-router setup is also OK, so long as the initial cost ...
    (comp.security.firewalls)
  • routing table oddities
    ... I have what seems to be a weird problem with routing that I hope y'all can ... It's on a pretty complicated network. ... bge1/ce1 are on a network-attached storage VLAN ... though the connection is refused by the firewall. ...
    (SunManagers)
  • RE: [fw-wiz] Dynamic routing on a firewall
    ... do not let firewall participate in routing protocols. ... the security features in the routing protocol, ... A firewall can not really do much more than the security ... Each party is in their own DMZ. ...
    (Firewall-Wizards)
  • Re: Routing problems
    ... >definition of a default gateway, ... local, or reachable through QWorst, and QWorst knows how to distribute ... >central routing point for all clients on the .1 subnet to access any of the ... I mentioned that the firewall has very tight security, ...
    (comp.os.linux.networking)
  • Re: isa nur als proxy, vpn ueber dritte nic
    ... wenn die routing eintraege ... Routing gehört immer professionellen Routingkomponenten überlassen, ... und eine Firewall sollte stets als Firewall eingesetzt werden. ... Network Behind a Network ...
    (microsoft.public.de.german.isaserver)