On Tue, 16 Apr 2002, Schouten, Diederik (Diederik) wrote: > > Assume IP packets to 195.11.22.5, port 80, which is allowed > > by the ruleset. > > > > Now, we can either alter the IP, or keep it static. Multiple routers > > outside the firewall would cause the sender MAC to change all > > the time, so you can't assume (at least not by default) that the sender > MAC > > won't change in communication at this layer. > > True, but that is a deafult gateway issue, not a MAC issue. > Only the MAC table on the host will be changed all the time. > One entry pushing out the other.
Ah, but what about the switch? In a bridge mode, that switch is going to have to keep more and more MAC entries for the firewall's port, which could cause issues that aren't there for the host's ARP table. > > OR: for the sake of argument: assume that the network on the less > > trusted side of the firewall has a fairly large mask, like a /16 one. > > 65K MAC<>port mappings is a lot more than 99% of the switches out > > there can handle. Tables capable of handling only 1000-4000 > > mappings is fairly common, as far as I know, unless you start talking > > about big-ass switches that you'll only have one or two of anyway, mixed > > with smaller ones for the "branches". > > > > (Yes, I'm an argumentative s-o-b. I know. :)) > > In a bridged situation this would automatically mean the the /16 is on both > sides, we are bridging after all... > > I can still specify the IP ranges/hosts behind my interfaces though. > > What if your router has a /16 on one side, if they are able to mess with the > switch connected to your routed firewall you are down anyway. A routed firewall generally only has one MAC entry associated with its port, so the "add lots of MAC entries to the switch" stuff won't happen through the routing firewall. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
