> -----Original Message-----
> From: Enno Rey [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 1 November 1999 8:22 AM
> To: Jean Morissette
> Cc: [EMAIL PROTECTED]
> Subject: Re: arp problems
>
>
> Christopher Dinsmore wrote:
>
> > Enabling IP forwarding is essential to insure proper
> operation of most
> > firewalls with Windows NT
>
> Once again: depends of your firewall product. Application
> proxies (Gauntlet,
> Raptor, even MSProxy) don't need, they force you to disable.
> Only packet filtering firewalls (even those holy stateful
> inspecting ones
> ... :-)) need ip-forwarding, because it's their job and
> method to work as
> routers...
Actually, this just isn't true. Gauntlet for NT (Well, versions 2.something
through 5 anyway) wants you to _enable_ IP forwarding - if you disable it
before setup it will enable it for you. I assume that this is because
Gauntlet also allows you to do straight packet filtering if you don't want
to or can't use one of the proxies. I would be very surprised if NAT would
work without IP forwarding for this reason (NAT is almost always traffic
that hasn't hit a proxy - otherwise it would be using the external address
of the firewall). I would also be surprised if this was just a "Gauntlet
thing".
> IMHO no professional firewall should rely on OS's forwarding mechanism
> without some kind of additional, hardened control or some kind of
> proprietary forwarding.
I don't understand your point. I always thought that the design decision was
to go with a modified driver for the interfaces, (eg Gauntlet) OR to go with
a custom routing / forwarding engine (Uh...ipchains etc?). I, personally,
prefer the idea of the modified driver because of the extra potential to
handle fragmentation and layer 2 attacks. Is there really that much of an
argument for running both?
If you're making your decisions at the first time the packet hits the
interface, then rejected traffic will never be passed to the routing engine.
To say that this isn't enough is (to me) logically equivalent to asserting
that there exists traffic that you can't detect at the network driver level
that can cause you problems during forwarding. I'm genuinely interested to
know if this is the case...
Oh, one more thing. I had the same problem Christopher described (NAT not
working due to NT failing to maintain ARP aliases for NAT'ed IP addresses)
and solved it in the same way (added arp manual arp cache entries to the
upstream router). And here was me thinking I was just a lazy kludge artist.
Cheers,
--
Ben Nagy
Lazy Kludge Artist, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
