Using a 1-bit mask on a Class C subnet (ex: 255.255.255.128) gets you into
some weird networking behaviour. While routers and our BSD Gauntlet
firewalls (multiple versions) handled this, I'm not sure that the Microsoft
stack will. At a class on Microsoft networking I recently took, the
instructed essentially said that, while this may be allowed by others,
assume that Microsoft doesn't allow it.
The reason is that, in general, subnets which contain all "0" bits and
subnets which contain all "1" bits have special meaning. Hence, if you have
a 1-bit mask, you have split into 2 subnets, either of which has either the
all 0 or all 1's in the network portion of the fourth byte. My experience is
that you may have problems with any dynamic routing protocol (ex: RIP) and
potentially with broadcasts.
>From what I can tell, the newer stacks will handle a 1-bit mask but older
ones complain. At one time, Cisco's Internet sub-netting form requires you
to have at least 2 bits in the subnet mask and disallowed using the lower
and upper 64 addresses.
We've run with a 1-bit mask for some years without problem but did hit 1
system which refused to allow it. Since we weren't allowing communication
between the 2 halves of the split network (host addresses 0..127 didn't talk
to 128..255), we told that system we weren't subnetted and everything
worked. Essentially, none of the 3 networks off the firewall knew that we
were subnetting the Internet and DMZ with a 1-bit subnet- only the firewall
knew. As far as the systems and routers on the Internet and DMZ segments
knew, each had the entire Class C (we just didn't assign systems in the half
they didn't "own"). The system previously mentioned which refused it was
being setup by an admin who was trying to play by the book instead of using
the lies and inconsistencies that we were using.
When we moved from BSD to HP for our firewall, either HP or Gauntlet (5.5)
complained about the 1-bit mask but would allow us to use it if we overrode
their warning. Since our Internet hosts were expanding, we had already
decided to allocate the entire Class C to the Internet side so opted to
discontinue the 1-bit mask.
So, while I'm not sure this is the problem, it is a possibility.
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, March 29, 2000 11:10 AM
> To: [EMAIL PROTECTED]
> Subject: gauntlet 5.0 for NT & FTP Failure
>
> Hi all
>
> That's the satus and the problem !
>
> My company owns a class c IP scheme spited into 2 subnets
> We do not use dynamic IP addresses , we use static legal IP addresses
> the trusted 212.205.162.0 : 255.255.255.128
>
> Gauntlet is installed on a Compaq Proliant 400. It has two network cards.
> Inside network interface = 200.200.200.126 : 255.255.255.128
> Outside network interface = 200.200.200.253 : 255.255.255.252
> Router's address = 200.200.200.254 : 255.255.255.252
> The scheme 200.200.200.x is not the real one it is for explaning
> purposes...
>
> The enabled proxies are :
> HTTP -Trusted Network
> FTP - Trusted Network
> NOTES - Untrusted Network
> (this is a plug proxy that allows everything from outside to reach the
> specific Lotus Domino Server IP 200.200.200.2 : 255.255.255.255 on the
> port
> 1352)
>
> Everything else is disabled from the POLICIES TAB. There is no other extra
> configuration. All the other settings are left as they are by default.
>
> The problem is when I am trying to reach some FTP sites , through my
> browser the firewall stops working.
> Unfortunately there is nothing written in the log. The internal and
> external network adapters drop dead.
> The result is that no one can browse , there is no data traffic from/to
> the
> internet until gauntlet's computer restarts. The computer is working
> properly it is not crashed. Only Gauntlet seems to be dead but not crashed
>
> when the problem occurs :
> No traffic (HTTP, Telnet, SMTP, etc.) is able to pass through Gauntlet. If
> you use web browsers to ftp to internet through Gauntlet there is no
> traffic.
> No pinging is available to the inside (Trusted) interface from internal
> machine, and no pinging is also available to the outside (Untrusted)
> interface from any machine outside Untrusted)network?
>
>
> ACTIONS TAKEN
> I reinstalled SP4 and hotfixes
> I uninstalled and reinstalled Gauntlet vs 5.0 (with no patches)
> Result : Problem not solved
>
> I installed SP5 (without hotfixes)
> Uninstalled and reinstalled Gauntlet vs 5.0 (with no patches)
> Result : Problem not solved
>
> Today as I was trying to find out what is happening I noticed that if I
> try
> to FTP a site through Netscape Navigator or Internet Explorer vs 4 there
> is
> no problem Gauntlet works fine on the contrast if I do the same thing
> using
> Internet Explorer vs 5 (which is currently installed on my desktop
> computer) then the problem starts.
>
> I know it was a huge email but I wanted to give you a good description
>
> I would really appreciate any help
>
> Thank you
>
> George
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
