Routing is next hop based. Defaut route means that if the packet has not
specific place to go, then go with the default route. it is up to you to
decide how yo set up default route.
_ming
On Wed, 23 Dec 1998, Martin, Kevin stated:
> Don't talk about poor design unless you understand the full scope of the
> problem and the politics involved. All of our inside routers DO share
> their routing tables: does this mean that they should all know to
> default route anything that is not in the routing tables to the same
> router? Are you saying that for our international sites they should
> have to use OUR firewall as their default route to the Internet? The
> routing stuff was all done at a time when there was NO Internet access
> and, up until this time, there have been no reasons to set the firewall
> as the default router. We are discussing these issues at this time but
> up until now the policy has been to NOT set the default route to the
> firewall.
>
> Kevin Martin
> Bank of America - CRT
> Firewall/Network Admin.
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Joe Ippolito [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, December 23, 1998 12:37 AM
> To: Martin, Kevin
> Cc: 'FW Digest'; 'fw-1-mailinglist'; 'Ming Lu'
> Subject: RE: Something I'd like to see in FW1.
>
>
> I beg to differ with your difference. All inside routers should be
> allowed
> to share their routing tables with each other using EIGRP, OSPF or some
> other modern routing protocol with a default route to the inside of the
> firewall. That is as far as any internal routing information should
> travel.
> With the hide translation no outside host should have access to anything
> on
> your internal network -routing information, DNS, etc, etc. All hosts
> that
> require outside hosts to initiate communication with them should be
> placed
> on a separate firewalled network commonly referred to as a "DMZ". The
> internal hosts can have full access to DMZ hosts but DMZ hosts should
> not be
> allowed to initiate anything with internal hosts. After all, how much
> does
> one more network interface cost?
>
> Just do it right and you won't have to worry about Check Point or any
> other
> firewall vendor compensating for your poor design.
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Martin, Kevin
> > Sent: Monday, December 21, 1998 8:14 AM
> > To: 'Ming Lu'
> > Cc: 'FW Digest'; 'fw-1-mailinglist'
> > Subject: RE: Something I'd like to see in FW1.
> >
> >
> > Ming,
> >
> > I beg to differ. I see no reason that a company w/ 100's ( possibly
> > 1000's ) of routers w/in a network should be REQUIRED to use the
> > firewall as their default route and then have to maintain a bunch of
> > static routes! It would be some much easier to correct the firewall
> > s'ware than to maintain the routing tables on all of these routers.
> I'm
> > sure that any big customers ( and many smaller customers ) of
> Checkpoint
> > would agree.
> >
> > Kevin Martin
> > Bank of America - CRT
> > Firewall/Network Admin.
> > [EMAIL PROTECTED]
> >
> >
> > -----Original Message-----
> > From: Ming Lu [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, December 20, 1998 8:27 PM
> > To: Martin, Kevin
> > Cc: 'FW Digest'; 'fw-1-mailinglist'
> > Subject: Re: Something I'd like to see in FW1.
> >
> >
> >
> > It has nothing to do wih FW1! It is routing problem. get your routing
> > problem resolved (on the FW box) and you will be fine.
> >
> > _ming
> >
> > On Thu, 17 Dec 1998, Martin, Kevin stated:
> >
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > > -
> > > Don't know if anyone else has this issue, but here goes and here's a
> > > very short wish list.
> > >
> > > Because of the way that we do out networking, we don't setup our
> > > internal routers to default to the FW1 firewall. As such, we've run
> > > into the problem where we've got http(s) servers inside the firewall
> > > that need to be accessible from the Internet. This leads to a
> pretty
> > > serious problem involving routing and having to Address Translate
> the
> > > Internet coming in. We've setup a BUNCH of objects to represent the
> > > Internet and are, thus far, having reasonable success with it. We
> > have,
> > > however, run into some problems where we neglected to split out the
> > > Internet objects far enough and have run into some overlaps. This
> is
> > > our problem and now, here's what I would like to see Checkpoint do:
> > >
> > > Just as they've given us the ability in our rule set to NEGATE an
> > object
> > > ( thus allowing us to say : Source - NOT "Internal networks" Dest:
> > any
> > > blah blah blah ) they should give us the same ability to negate in
> the
> > > Address Translation rules ( thus allowing us to translate any NOT
> > > INTERNAL NETWORKS coming in to the inside behind a HIDE translation
> > ).
> > > What are all of your thoughts on this?
> > >
> > > Oh, one other thing that I'd like to see: show not only the rule
> > that
> > > allows/drops/etc. a packet but, if there's ANY translation, show the
> > > rule that did the translation as well in the logs.
> > >
> > > Kevin Martin
> > > NationsBanc - CRT
> > > SMTP Postmaster/DNS/FIREWALL/UNIX/NT System Admin.
> > > [EMAIL PROTECTED]
> > >
> >
> >
> ========================================================================
> > ====
> > Ming Lu Email:
> > [EMAIL PROTECTED]
> > Sr. Network Engineer Phone:
> 703-689-5290
> > (w)
> > IP Engineering
> 703-855-4194
> > (m)
> > Global One Telecommunications, LLT.
> 703-689-6575
> > (f)
> >
> ========================================================================
> > ====
> > "Do not pay attention to every word people say, or you may hear your
> > servant cursing you ---- for you know in your heart that many times
> you
> > yourself have cursed others."
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
============================================================================
Ming Lu Email: [EMAIL PROTECTED]
Sr. Network Engineer Phone: 703-689-5290 (w)
IP Engineering 703-855-4194 (m)
Global One Telecommunications, LLT. 703-689-6575 (f)
============================================================================
"Do not pay attention to every word people say, or you may hear your
servant cursing you ---- for you know in your heart that many times you
yourself have cursed others."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
