On the GNAC firewall list [EMAIL PROTECTED] wrote:
>
>Let's make that more explicit - a packet destined for one of the known
>"internet" addresses in your DMZ would match a route entry like 12.13.14.0
>255.255.255.0, and head out of the WAN link, while a packet for Elsewhere
>would not match any of the specific addresses and match 0.0.0.0 (default
>route) and get shoved out of the ISP link at the remote site.
If you are really concerned about internal traffic not going
through the Internet, you might want to supplement the routes by
ACLs on the routers. Traffic between internal machines would be
explicitly forbidden to pass through the interfaces connected
to the Internet. That way if someone puts bad routes, the bad
traffic will not pass the ACLs, and if some branch office sets
up their router incorrectly, the bad packets won't get through
the Internet->Main office interface anyway. Redundant security.
--
#include <std_disclaim.h> Lorens Kockum
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
