You should be able to pass routing broadcast through the firewall.
I will make an assumption that you are using cisco routers, if not,
the same method should apply asuming your routers can support similar
commands.
Set up your firewall to pass protocol 9, which is the protocol number
for IGP (any internal gateway protocol). Don't worry about port
numbers since it isn't applicable. Make your source and destination
addresses appropriate, either peer-to-peer or any-to-any. Set cace
timeouts for this rule to be low (10 seconds should be good) if you
want routing transactions logged, otherwise, routing updates will be
often enough not to time out the session cache on the firewall.
On the routers you can set up peering relationships that avoid the
normal routing broadcast to 255.255.255.255 which firewalls usually
don't like to deal with.
Also if you run different subnets on either side of your firewall you
need to add secondary addresses to your routers of the subnets
opposite them on the firewall. You need this otherwise the router
may get an update but toss it as an invalid source.
Add static arp entries into your routers pointing the address of the
router interface (your peer) on the other side of the firewall at the
interface of the firewalls closest interface. This allows each
router to forward routing updates to the firewall for forwarding.
...and behold...it works like a charm....you mileage may vary.
Mike
On 8 Feb 96 at 12:21, F .
Wetzels @
amc .
uva .
nl wrote:
> fpmw> I am testing our fw-1 and have got a question before
> fpmw> implementing our secuity.
> fpmw> I will use dual homed g/w with fw-1 and connect each ends to the internet
> fpmw> and our internal network.
> fpmw>
> fpmw> Our net -- Router ----- F/W ---- Router -- Internet
> fpmw> |
> fpmw> BBS Server ...
> fpmw> The question is that each router can exchange each routing table or not ?
> fpmw> If can , How it's possible. ?
>
|
|
