[177935] in North American Network Operators' Group
Re: Dynamic routing on firewalls.
daemon@ATHENA.MIT.EDU (Patrick Tracanelli)
Mon Feb 9 10:47:21 2015
X-Original-To: nanog@nanog.org
From: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
In-Reply-To: <215947.1423495545@turing-police.cc.vt.edu>
Date: Mon, 9 Feb 2015 13:47:10 -0200
To: Valdis.Kletnieks@vt.edu
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On 09/02/2015, at 13:25, Valdis.Kletnieks@vt.edu wrote:
>=20
> On Mon, 09 Feb 2015 12:56:37 -0200, Patrick Tracanelli said:
>>> On 09/02/2015, at 12:14, Valdis.Kletnieks@vt.edu wrote:
>>> On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:
>>>> On a bridged firewall you can have the behavior you want, whatever =
it is. Passing packets with firewall is down, but the box still up.
>>>=20
>>> Owen's point is that passing packets if the firewall is down is =
really poor
>>> security-wise. If you run in that configuration, I simply DoS your =
firewall
>>> (probably from one set of IP addresses), and then once it has fallen =
over and
>>> is being bypassed, I send my *real* malicious traffic from some =
other IP
>>> address, totally uninspected and unhindered. Much hilarity, =
hijinks, and
>>> pwnage ensues.
>>=20
>> Hello Valdis,
>>=20
>> If this is really the point, I don=E2=80=99t know what system you are =
talking about
>=20
> The one *you* mentioned - "passing packets with firewall is down". =
Owen
> was pointing out that is a silly configuration:
An explicit decision regarding bypass ports, as I mentioned if someone =
does not want a redundant approach and doesn=E2=80=99t want availability =
issues if power is down or system is overloaded.
Not an inherit behavior or a must. Not related to being L2 our L3. Just =
a mentioned possibility. Not a limitation, not a recommendation. In the =
previous e-mail I mentioned =E2=80=9Cwhatever option you want=E2=80=9D =
upon failure, traffic still flowing, traffic bypassed, traffic dropped, =
L2+STP redundancy, no redundancy at all. So please don=E2=80=99t refer =
to one single option and pointing it as a failure of the methodology =
nature if you consider a decision/project error, and in this case just =
do it the other way, opting out from bypass and dropping or failing =
over, upon exhaustion or failure. Back to the point, doesn=E2=80=99t =
have to be different or limited from what you get in L3 firewalling.
>=20
> On 08/02/2015, at 22:48, Owen DeLong <owen@delong.com> wrote:
>> Technically true, but bridged firewalls are pretty much passe these =
days in the
>> real world. As a general rule, when the firewall is shut down, one =
usually
>> doesn=E2=80=99t want the packets flowing past un-hindered. The fact =
that this is kind
>> of the default of what happens with bridged firewalls is just one of =
the many
>> reasons hardly anyone still uses such a thing.
--
Patrick Tracanelli
FreeBSD Brasil LTDA.
Tel.: (31) 3516-0800
316601@sip.freebsdbrasil.com.br
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"
