Firewalls: Re: Firewall-1, unix routing, and IPX/SPX bridging

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewall-1, unix routing, and IPX/SPX bridging
From:	twalker @ acc . org
Date:	Fri, 14 Apr 1995 17:33:22 -0400
To:	david @ wsi1 . wsi . com (David Flinn), firewalls @ greatcircle . com

     If your hardware router is bridging only SPX/IPX & you want the SUN to 
     do the same.  Why not put the xylogics on the internal net?  
     
     I do not see any advantage to it on the 'perimeter net', since you 
     want it to bridge the packets?  Bridging is not going to do any packet 
     screening or authentication  It will just forward the packets.
     
     On the other hand, if the xylogics is doing IP & SPX/IPX, I can see 
     your problem in not wanting to put it on your internal net.  You could 
     add another router between the internal & perimeter net.  Just 
     configure it to route or bridge IPX/SPX.  
     
     This keeps your IP going through your firewall & properly 
     authenticated.  The SPX/IPX is not authenticated and routed or bridged 
     right on through.
     
     Just a thought.
     
     /Tom
     
     ----------------------------------------------------------------- 
     Tom Walker, Network Manager        American College of Cardiology 
     MHS:twalker @
 acc                    Phone:1-301-493-2318 
     Internet:twalker @
 acc .
 org  


______________________________ Reply Separator _________________________________
Subject: Firewall-1, unix routing, and IPX/SPX bridging
Author:  david @
 wsi1 .
 wsi .
 com (David Flinn) at Internet-Mail
Date:    4/14/ 0 2:37 PM


Hi,
     
I've got a tricky question concerning using a Sun Netra with firewall-1 
running on it and Novell's IPX/SPX. More generically, it addresses 
the issue if any Unix box routing between two ethernet interfaces can 
"bridge" IPX/SPX. Note the following picture:
     
			192.207.93.0 Class C network
			255.255.192.0 subnet mask 
     
     
     netcom.com ----- hardware ----(le0) netra (le1)---
                         router	       firewall-1     |
                           |                          |
                        xylogics               internal network
                           |                          |
                         modems                       |
                           |                       clients
                     remote client
     
The scenario is that if an employee uses a dial up modem into
the xylogics terminal server and is using NovellRemote, the xylogics 
will handle it and pump out IPX/SPX packets to the router. The router 
can handle it, and bridges the packets out to the netra.  Since
the netra is a TCP/IP router, I am 98% darn sure that the IPX/SPX 
packets will not make it over to the internal network.
     
So ... is it possible to make this happen?
     
question (1) :	Can a Sun (or any Unix box) with two ethernet interfaces 
		be made to bridge IPX/SPX packets?
     
		If no, I guess we have to put the xylogics on the 
		inside of the firewall. Bummer.
     
		If yes, what software products are required to make 
		this happen?
     
question (2) :	Now that we can "bridge" IPX/SPX across two ethernets, 
		will this still work if Firewall-1 is running on the
		netra ? 
     
		If Firewall-1 can't do it, how about TIS or Gauntlet?
     
Thanks for your time, consideration, and thoughts,
     
david
-------------
david flinn
david @
 wsi .
 com

Indexed By Date	Previous:	Transparent proxies From: srichard @ abbotthpd . com (Samuel Richardson)
Indexed By Date	Next:	Re: Transparent proxies From: Brian Rogers <brogers @ integctr . com>
Indexed By Thread	Previous:	Firewall-1, unix routing, and IPX/SPX bridging From: david @ wsi1 . wsi . com (David Flinn)
Indexed By Thread	Next:	Re: Firewall-1, unix routing, and IPX/SPX bridging From: mgc1 @ iaccess . com . au (Mark Christian)