Great Circle Associates Firewalls
(February 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: routing table go through firewall ?
From: F . Wetzels @ amc . uva . nl
Date: Thu, 08 Feb 1996 12:21:48 +0100
To: firewalls @ greatcircle . com 
fpmw> I am testing our fw-1 and have got a question before
fpmw> implementing our secuity.
fpmw> I will use dual homed g/w with fw-1 and connect each ends to the internet 
fpmw> and our internal network.
fpmw> 
fpmw> Our net -- Router -----  F/W ---- Router --  Internet 
fpmw>                               |
fpmw>                           BBS Server ...
fpmw> The question is that each router can exchange each routing table or not ?
fpmw> If can , How it's possible. ?

It can. It depends on what you want. Your turn `rip services' on and off.
But it's also possible to do this for igrp, bgp and egp.

fpmw> Our network person assumes the G/W with F/W must use rip protocol.
fpmw> In our case he won't recommend the rip protocol due to it's heavy traffic.

I doubt rip producing much traffic. Normally rip tables are spread once in
30 seconds.

fpmw> If it is not possible , please explain in detail how to reach to the 
fpmw> BBS server from the Our net.

In case you're *not* using rip or other routing protocol,
You should add static routes on your F/W and internal router.

I assumed some IP-adresses on the routers and your BBS station:
 
 
Your net -------- Router ------------ FW -------+------- Router ------ internet
            aaa.1        bbb.2  bbb.1    ccc.2  | ccc.1        ddd.2
                                                |
                                                | ccc.3
                                               BBS
 
On FW:
default		via	ccc.1
your net	via	bbb.2

On Router:
default		via	bbb.1

You don't need (musn't) to define a routing rule for directly connect subnets.

                                               
fpmw> If it must use static routing, how to reach internet just with name from our
fpmw> net. Our internal DNS server maintains internal names only and Our policy
fpmw> is to let Our net users go out without restriction and Internet users
fpmw> be prohibited in some extents.

`Internet' should be able to locate the name of your net. A nice solution is an
external dns and an internal dns. The FW and the two DNS's should be configured
that they communicate (forwarding). But internet sees only two or three machines
(the DNS + BBS? + FW(ccc.2)?)

The FW should be configured such that only DNS request from your external DNS
are allowed and vice versa. In this way DNS informatiosn is available but
your net remains invisible (you can allow ping and deny telnet and so on)



Frank


-------------------------------------------------
F.P.M. Wetzels                           ADIV/CNS
D01-319.1                    f .
 wetzels @
 amc .
 uva .
 nl
meibergdreef 15              Voice +31 20 5662916
1105 AZ  Amsterdam-ZO          Fax +31 20 6973181
-------------------------------------------------
Indexed By Date Previous: Re: Most Secure Unix?
From: Rolf Weber <weber @ iez . com>
Next: Security Policies Made Easy
From: Warren Moore <warren . moore @ cbis . com>
Indexed By Thread Previous: Re: The "ULTIMATELY secure firewall" web page
From: Mike Malik -- Dover DE <mam @ ssds . com>
Next: Re: routing table go through firewall ?
From: "Michael Langdon" <mlangdon @ rpm . com>
Google
 
Search Internet Search www.greatcircle.com