[177934] in North American Network Operators' Group
Re: Dynamic routing on firewalls.
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Feb 9 10:26:09 2015
X-Original-To: nanog@nanog.org
To: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
In-Reply-To: Your message of "Mon, 09 Feb 2015 12:56:37 -0200."
<15CE3299-E2B7-47B5-9050-CD4061EE3E3B@freebsdbrasil.com.br>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 09 Feb 2015 10:25:45 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1423495545_164376P
Content-Type: text/plain; charset=us-ascii
On Mon, 09 Feb 2015 12:56:37 -0200, Patrick Tracanelli said:
> > On 09/02/2015, at 12:14, Valdis.Kletnieks@vt.edu wrote:
> > On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:
> >> On a bridged firewall you can have the behavior you want, whatever it is. Passing packets with firewall is down, but the box still up.
> >
> > Owen's point is that passing packets if the firewall is down is really poor
> > security-wise. If you run in that configuration, I simply DoS your firewall
> > (probably from one set of IP addresses), and then once it has fallen over and
> > is being bypassed, I send my *real* malicious traffic from some other IP
> > address, totally uninspected and unhindered. Much hilarity, hijinks, and
> > pwnage ensues.
>
> Hello Valdis,
>
> If this is really the point, I don’t know what system you are talking about
The one *you* mentioned - "passing packets with firewall is down". Owen
was pointing out that is a silly configuration:
On 08/02/2015, at 22:48, Owen DeLong <owen@delong.com> wrote:
> Technically true, but bridged firewalls are pretty much passe these days in the
> real world. As a general rule, when the firewall is shut down, one usually
> doesn’t want the packets flowing past un-hindered. The fact that this is kind
> of the default of what happens with bridged firewalls is just one of the many
> reasons hardly anyone still uses such a thing.
--==_Exmh_1423495545_164376P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBVNjReQdmEQWDXROgAQLI7A//XmDocLoYzmZkI7IVLulAnceXZtdqPFU8
QZvYiXQcf06T899zoLeVDzQHzVOOINTdmqOrgbnj8b763kYdniLjSlwkX7vkkNdQ
sXVZjfgEpzOdYpaRy/WE0+OxUPMqF5o7wmz9OrMXHyRDEi7ma9Lm0eAo3YGnQXi1
tWS/Q8+L0FGIevo33OeGA731YyRwO4RUwkSVYJ/JNmy8EdDwdzkuv5f3EkM37KqT
s7nGasWhOTwqe21uufDTyr0NTm1rrTwBbwE3yaeodb62He1l5NmO19kAcrFiYqYL
k0Yqu1ZUB1x6mKfDOi5W0khzczhIb+yghcYEN0qpFPArKrG+nJYUJRJYkfupZAp+
T4sXfJ58+7IbJr/X2hBNA21+yhJRIp+M1GOOe3Wli7It61u7JV4i51Odi6sQKwjH
EdNHdf2Izv10dcidwXhMsTJz6t8KOSkeq8P7HaQtScRldsfLnwCgO2WVIFXo1APc
3yFnuy635XT1Ppl9eJVHynoA48IhsfRyR3Rc4CSf4fvZb/sv8HXQpv8udFYxlMv8
dW+tYQX/H+msRcW4RWyNyCoGFkdkE5n+gkkIC0RwKXvRbnPsrmFhncdD8kFH4jkU
f6uvt35mlXo72kMwXx1xNQ9Hc55iAI2QqhNbVybd+z4wUNhO7sxAEQltBFwe/u6f
kZNd2Y5VtLM=
=c8w7
-----END PGP SIGNATURE-----
--==_Exmh_1423495545_164376P--
