Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Firewall-1 and Frame relay interfaces

Re: Firewall-1 and Frame relay interfaces

From: Crist Clark <crist.clark_at_globalstar.com>
Date: Tue, 05 Jun 2001 10:06:12 -0700

"Dawes, Rogan (ZA - Johannesburg)" wrote:

[snip]
 
> I was thinking that it would be a lot simpler to have a firewall device
> (Nokia or Sun) with a frame relay interface. The individual PVCs would
> connect to the firewall over the single (electrical) connection, but the
> firewall would treat them as separate interfaces. Then the firewall can
> control any traffic between interfaces. This seems to remove an enormous
> amount of complexity (routers, QFE's, etc), with no downside.
>
> However, I have been informed that the Nokia boxen (and Sun, it seems) will
> do the routing first, and if the packet is to go out of the same interface,
> will transmit it immediately out the interface without it passing through
> the firewall rulebase. To me though, the different frame relay PVC's are
> different interfaces!
>
> Can anyone confirm or deny this? I would hate to have to go with the
> complex solution for nothing.

Are we still talking about FW-1? FW-1 does do the routing calculation
first. This is extremely annoying. However, the packet still goes through
the firewall rules. This only becomes an issue when the destination address
of the packet changes somewhere in the firewall processing, i.e. when you
are doing NAT.

So, yes, routing is done first in FW-1, but no, the packet does not go
out an interface without first passing through the ruleset. At least,
that's what the docs say. 

-- 
Crist J. Clark                                Network Security Engineer
crist.clark_at_globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster_at_globalstar.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Received on Jun 05 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos