> Assume IP packets to 195.11.22.5, port 80, which is allowed
> by the ruleset.
>
> Now, we can either alter the IP, or keep it static. Multiple routers
> outside the firewall would cause the sender MAC to change all
> the time, so you can't assume (at least not by default) that the sender
MAC
> won't change in communication at this layer.
True, but that is a deafult gateway issue, not a MAC issue.
Only the MAC table on the host will be changed all the time.
One entry pushing out the other.
The src and dst MAC are valid MAC's on the learning bridge port.
Therefor it is allowed to pass the packet to the firewall process.
The IP header will now be checked...
No problem with that.
Although, would you realy have multiple gateways in this situation?
Are you running RIP/OSPF on the hosts?
> OR: for the sake of argument: assume that the network on the less
> trusted side of the firewall has a fairly large mask, like a /16 one.
> 65K MAC<>port mappings is a lot more than 99% of the switches out
> there can handle. Tables capable of handling only 1000-4000
> mappings is fairly common, as far as I know, unless you start talking
> about big-ass switches that you'll only have one or two of anyway, mixed
> with smaller ones for the "branches".
>
> (Yes, I'm an argumentative s-o-b. I know. :))
In a bridged situation this would automatically mean the the /16 is on both
sides, we are bridging after all...
I can still specify the IP ranges/hosts behind my interfaces though.
What if your router has a /16 on one side, if they are able to mess with the
switch connected to your routed firewall you are down anyway.
Greetings,
Diederik
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
