"Schouten, Diederik (Diederik)" wrote:
>
> Mikael Olsson wrote:
> > Unless the firewall in question has explicit limits on how
> > many MAC addresses it will allow inbound [...]
>
> In case you are using wildcards in your configuration this would
> indeed be possible.
>
> Fact is that with the learning bridge implementation of the BRICK,
> only ARP's for hosts specified on a certain interface/zome will be
> passed (actually recreated) and therefor overloading the MAC table
> on the switch is quite unlikely.
Hmm I'm not sure I understand what you're saying here.
Consider the following packets, all sent from "ext" to "int":
(or "dmz" to "int" ... any case of "less trusted" -> "more trusted")
0000:1111:1111->ffff:ffff:ffff arp query 195.11.22.1->195.11.22.5
0000:1111:1112->ffff:ffff:ffff arp query 195.11.22.1->195.11.22.5
0000:1111:1113->ffff:ffff:ffff arp query 195.11.22.1->195.11.22.5
0000:1111:1114->ffff:ffff:ffff arp query 195.11.22.1->195.11.22.5
0000:1111:1115->ffff:ffff:ffff arp query 195.11.22.1->195.11.22.5
(Assuming that 195.11.22.1 is a valid host on the outside of the
firewall, and that 195.11.22.5 lives on the inside).
Are you saying that there is an easy way of keeping internal switches
from learning about the MAC addresses 0000:1111:111[1-5]?
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
"Senex semper diu dormit"
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
