> > Still, why would my firewall respond to you? It only needs to
> > respond to the management server's address.
>
> True. Also true of a routing firewall that has its management access
> table applied on L3/4 rather than (or "in addition to") L7 only.
Exact, and that's the only right way.
> > You can even select a management address that is not in the same
> > network range as the routers/management network around it.
>
> Also true for (some, although not very many I suppose :P) routing
> firewalls.
And another point for the "what makes a firewall a good firewall".
The list of considerations just gets longer and longer.
Anybody up for a major feature comparison challenge? ;)
> > Bridged firewalls can have a management interface to, for example
> > with the BRICK you can use any of the interfaces for whatever you
> > want. No set DMZ etc.
>
> All good and well. Although I must say that, in general, I think
> people that design firewalls that can't do anything else than
> the classical ext/int/dmz needs to have a wire brush applied to
> select parts of their anatomy. (No, not necessarily the weenie home
> gateways. They're usually so b0rken anyway so it doesn't matter ;))
Netscreen... wirebrush coming up!
> > You can fire at will, but what are you trying to achieve?
> > fill a 100Mbit pipe, and basicly DOS the uplink?
>
> Nah, that's no fun. Strictly speaking, the LAN gets DOSed before
> the firewall (about .01us before :)), so that doesn't count.
>
> I was more thinking along the lines of the firewall forgetting to
> wipe any unused space up to the 60 bytes minimum (and hence possibly
> leaking data from the aforementioned admin interface, although I'll
> give you that that is an issue with any firewall with careless coders),
> or going up in flames when someone sends it IP options with invalid
> lengths or somesuch. (Come to think of it, I've only ever seen that
> particular thing happen to proxy firewalls, but let's not start that
> thread up again :))
ROFL
> > But you still need a device responding to the ARP's on the "wrong" interface
> > to get the traffic to leave the firewall, and that is very unlikely.
> > Except maybe when you have something proxy-arping for the wrong range? ;)
>
> If $bridging_firewall gets confused by units proxy-arping the
> wrong range, I definately see why you don't like proxy arp ;)
teh firewall does not get confused, it just thinks the destination is where it
should not be... not its fault though.
But still that is only layer2, the traffic still has to pass through the
filters/rulesets, and most of the time the ruleset to use is based on source or
destination IP, which means the ARP might have gone wrong, but the traffic
will not go out the wrong interface.
Don't ask me what happens with the packet, it'll probably be stuck in limbo,
I'll try when I got a few spare minutes.
> Here's a point on flexibility: To my mind, it is fairly common
> to do filtering on IP addresses. Now, how does this combine?
> - Either, you need to write something very similar to a
> routing table, to avoid spoofing issues.
> - Or, you _always_ need to specify, per rule, interface/IP pairs,
> which is essentially weaving the routing table into the ruleset,
> with added complexity.
> - OR, you don't give a flying fuck about filtering per IP or IP
> spoofing, which I assume isn't the case for you :)
You can also group the rules, split them up in zones, just like the groups
of hosts that share the same policy, add IP ranges with spoofing protecting
to the zone, so you do not need to specify on a rule per rule basis anymore.
Add the zone to an interface, and done.
int1 -> zone0 -> 10.0.10.12
int1 -> zone1 -> 10.0.10.10-10.0.10.20
int1 -> zone2 -> 10.0.10.0/24
int1 -> zone3 -> 192.168.0.0/16
int1 -> zone4 -> *
int2 -> zone1 -> 10.0.10.10-10.0.10.20
int2 -> zone3 -> 172.14.0.0/18
int2 -> zone7 -> 20.9.12.1, 202.135.7.12-202.135.7.18, 107.23.12.12-107.23.12.111
No limitations on zones, overlapping IP ranges no problem, love the wildcard!
Of course more descriptive names for the zones.
> So, where's the flexibility?
> (No, I still don't get it :))
That's because you are Proxy-ARPing... it's too similar to bridged mode.
Greetings,
Diederik
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
