The firewall IS stopped when you reload the rulebase.
If you are getting replies to your inside hosts, then IP
forwarding must be on. You might consider blocking
all but the one address on the outside router for just
such occasions.
Make sure that S69Inet isn't turning IP forwading back on for
you every time you boot.
Ryan
---------- Previous Message ----------
To: firewalls, firewall-1
cc:
From: martinw @ epcorp.com ("Martin C. Walker") @ smtp
Date: 12/13/96 03:22:11 PM
Subject: firewall open when loading policy
running fw-1 2.1 on solaris x86 2.5.1
when the fw is up all my traffic is hidden behind 1 address, even tho
behind it a still a couple of legal (i e registered) class c's. the way
dns etc is set up no outside machines should know about host names
or inside ips. (I know host names can "leak"out in mail headers etc).
whenever I reload the policy rule base on the fw I see packets dropped
right after the new policy in place that are destined for an internal,
supposed to be hidden, host....at it's *read* (non-nat ted) ip. to me this
indicates that the fw is letting traffic out un=nat ted while the rules
are being loaded, and inbound replies are being caught when the new policy
is in place.
does this sound reasonable ? that raises the question of when is comming
in at the same time ? the firewall is never stopped and ip forwarding is
off in the kernel (ndd -set /dev/ip ip_forwarding 0).
|
|
