[177930] in North American Network Operators' Group
Re: Dynamic routing on firewalls.
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Feb 9 09:14:42 2015
X-Original-To: nanog@nanog.org
To: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
In-Reply-To: Your message of "Mon, 09 Feb 2015 11:54:04 -0200."
<F6140BE0-59F3-450F-B020-0667A7DB096C@freebsdbrasil.com.br>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 09 Feb 2015 09:14:16 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1423491256_164376P
Content-Type: text/plain; charset=us-ascii
On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:
> On a bridged firewall you can have the behavior you want, whatever it is. Passing packets with firewall is down, but the box still up.
Owen's point is that passing packets if the firewall is down is really poor
security-wise. If you run in that configuration, I simply DoS your firewall
(probably from one set of IP addresses), and then once it has fallen over and
is being bypassed, I send my *real* malicious traffic from some other IP
address, totally uninspected and unhindered. Much hilarity, hijinks, and
pwnage ensues.
--==_Exmh_1423491256_164376P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBVNjAuAdmEQWDXROgAQKwrA//YwyyJ5njcG6j74tGFE8O/trvlos39Byj
Y5W7t7+z86+91En4Qfg0WmZIu5/ku/NT/l/BzoTWZ54mREepMR1936MvgjCi1yrG
SInfMknpM+yRLTdvefnSJb0g6M/QzvRMDhQkxgczlLKSAecPUFxQ8zPU5n7MeT8A
uZJozNrd5krMLCRpSfBoMmXmVpmrKiUpRq8zJe7P6GXrLTI713Wt5VRuUAqBuD4f
7wpGaQViG0IHzS//PbYx50mLkGXT4mFUn40CPe75EOFcTgzySJuNCV3/xgXoP8AV
vkBqUhMkqtfKc9QwQmCxSkqATjc5f6FO7CQjQ4IQot5yewHlOAgxgM1OLl927xLi
RxQNFxcUzDg0sRJ1RAa3Dns6jIbpqzey1xCVS5z8+2g5emV5JjB7vrl4+U9vMkMG
K+gbht/nwJN6uny1YIyzpn8V8BUkyb6Mm23khB58wlVGvfmSFCCsaZtLuGmqHQeu
qjGCbX1RueaHYxGCzHcXD4OBT2ZkUokaVMtjOA+l/ats+hnhQE5EPWQE6DRdmxqv
Aqc1qjW4yv55RHJXTqYM0RiBwGyRQsHjuFpuDn80tI/7PHBq7DW0BOIP6f04e+oO
fkljwTeGfi0yGUyAuJm46EFDMNNBh4YW/OwSgGzGhqYPupq20LuO3eeIr+Wq/xWI
my8ytoZnEHQ=
=bn3S
-----END PGP SIGNATURE-----
--==_Exmh_1423491256_164376P--
