Firewalls: Re: RFC 1597

Firewalls
(October 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: RFC 1597
From:	mcr @ milkyway . com (Michael Richardson)
Organization:	Milkyway Networks Corporation, Ottawa, ON
Date:	2 Oct 1995 11:27:14 -0400
To:	firewalls @ greatcircle . com
Distribution:	milkyway
Newsgroups:	milkyway.mail.firewalls
References:	<199510021231 . FAA17889 @ miles . greatcircle . com>

In article <199510021231 .
 FAA17889 @
 miles .
 greatcircle .
 com>,
 <toon @
 cem-bb .
 e-mail .
 COM> wrote:
>the proper kind of firewall (dual-homed gateway, nice name). To make
>this work perfect one would like to have the possibilty to reserve a
>small part of the official adresses (class C?) to be 'translated' in a
>static way to the internal adresses of the servers to be reached from
>the outside world. The remaining part should make a 'pool' to be
>dedicated dynamically (only when needed) for those IP-hosts that need
>connection from the inside to the Internet.

  Well, an application layer gateway (and some filters) can provide
simple translation to the IP of the firewall. It is trivial to
decide to use another address, but you may *not* want to do this
dynamically. 
  Why? That gives no information to the remote machines about
who is connecting via DNS. If you do not want to give them info,
then use either the firewall itself (often called gateway.foo.com,
or foo.com), or use some "typical" name like "marketing.foo.com"
for all the PCs in marketing.
  The other reason not to dynamically allocate things is that
it makes rules a pain. That isn't to say that you need to have
a different IP for each utility device. (each printer). You
might have 1 "printers.foo.com" (or service.foo.com) with rules that 
map 100 ports on that "virtual machine" to the correct 
lprXX.foo.com:515.
  Why you want people from the untrusted side to be able to 
print is not a question I'll ask right here :-)

>MY QUESTION: Does someone works already in this way?

  Yes.

>I read RFC1627 and I am not happy with it. I will not discuss every
>item in it in this forum, although I think that this could be usefull.

  My feeling is some group of managers at large companies do not
want to spend money on IPv6 now. If rfc1597 can avoid the crunch,
they think, then do not spend money. 1627 is a respond from the
engineering people who say (quite rightly) "you snooze, you loose"

-- 
   :!mcr!:            |     <A HREF="http://www.milkyway.com/";>Milkyway Networks Corporation</A>
   Michael Richardson |   Makers of the Black Hole firewall 
 NCF: aa714 || xx714  | +1 613 566-4574 ... mcr @
 milkyway .
 com
 Home: <A HREF="http://www.sandelman.ocunix.on.ca/People/Michael_Richardson/Bio.html";>mcr @
 sandelman .
 ocunix .
 on .
 ca</A>. PGP key available.

References:

RFC 1597
From: toon @ cem-bb . e-mail . com

Indexed By Date	Previous:	Brent's book From: John Armstrong <john @ leva . leeds . ac . uk>
Indexed By Date	Next:	Re: RFC 1597 From: Yakov Rekhter <yakov @ cisco . com>
Indexed By Thread	Previous:	RFC 1597 From: toon @ cem-bb . e-mail . com
Indexed By Thread	Next:	Re: RFC 1597 From: Yakov Rekhter <yakov @ cisco . com>