Re: Firewall-1 and TCP Sequence Number Spoofing

[Pug <pug @ arlut . utexas . edu>]

> One of the characteristics of an effective firewall is that ALL traffic--both 
> internal and external--pass through the firewall.  If the firewall "drops all 
> packets whose source and destination are both in the internal net", then 
> wouldn't this prevent the nodes on the internal net from communicating with one 
> another?

This would only prevent them from communicating if they are truly
misconfigured (I don't even know if you could do it without further
subnetting and contortions). If they are both on the same net/cable,
then they should have never been trying to talk through the firewall in
the firstplace. If they are subnetted, then they should have a default
route set to the local router. If the local router is the firewall (ie.
1 router, multiple interfaces), then they are not on the same network
anyway.

Ciao,

-- 
Richard Bainter          Mundanely     |    System Analyst        - OMG/CSD
Pug                      Generally     |    Applied Research Labs - U.Texas
 pug @
 arlut .
 utexas .
 edu  |  pug @
 bga .
 com  |  pug @
 eden .
 com  |  {any user} @
 pug .
 net
Note: The views may not reflect my employers, or even my own for that matter.