Static routes on AIX 3.2.2 firewall machine

ITEM: RTA000154815

Topic thread:                                                                   
RALEIGH NETWORKING SUPPORT CENTER (RALY - NA/ATS)                               
 IBM COMMERCEPOINT                                                              
  IBM eNetwork Firewall V3.2 for AIX                                            
Generally speaking, should the routing tables(static or dynamic) on a           
firewall machine be keep to a minimum? If so is it advisable not to run         
routed on the firewall machine? Also, on firewall machine it makes more         
sense to me to use the router on the public side as the default router.         
Any reasons not to this?                                                        
Thanks for your help....                                                        
Hi Robert,                                                                      
Yes, it is good to keep your routing tables to a minimum.  In fact,             
the more work you can take off the firewall, the better the performance         
of the firewall will be.                                                        
And to your second question - I completely agree.  The router on                
the public side of the firewall should be set up as the default router.         
That is a very common set-up for routers and actually can once again            
help to minimize the processing done at the firewall as the router              
can do some IP filtering of its own.                                            
Thanks for using ASKQ.                                                         
My question may be more of a routing question. It might be better to            
talk to you to explain. But I will try to be more specific. My                  
customer's current firewall uses the public address as the default.             
As a result of this they had to add a lot of static routes to allow             
their private machines traffic to flow to and from the internet.                
This has caused them problems when Firewall machine has been restarted.         
If they change the default to the private side, will this alleviate             
the need to have private static address on the firewall? And if they do         
this, will the traffic to the internet flow properly?                           
If they change the default to the private side, will this alliviate             
the need to have static address on the firewall? And if they do                 
this will the traffic to the internet flow properly?                            
Also, should you run a dynamic routing protocol on the firewall?                
Why or why not?                                                                
Thanks for you help..                                                           
Hi Robert,                                                                      
The public address (the external NIC card) is the correct address               
for your customer to be using.  This masks any internal network                 
information from anyone on the Internet. Two issues on changing their           
default ip address to the private side; 1). This becomes an 'open door'         
for someone to be able to 'fake out' the firewall and allow them to             
potentially get into the trusted network.  It basically defeats the             
purpose of having the firewall.  Secondly (I'm assuming your customer           
is using NAT when you refer to 'private static addresses'), the                 
enterpirse would *still* need valid registered IP addresses to get out          
to the Internet.  Without those 'private static addresses', they will           
not get access to the Internet.                                                
Re: the question on dynamic routing protocol - I have left a phone              
mail message for on of the router guys here in my building as this              
is more of a router question.  I'll provide feedback to you via this            
PMR as soon as I hear from him.  In the mean time, you might want to            
see if you can find a 'router queue' in View Blue and ask that question         
as well.                                                                        
Thanks for using ASKQ                                                          

WWQA: ITEM: RTA000154815 ITEM: RTA000154815
Dated: 02/1999 Category: FIREWAIX
This HTML file was generated 99/06/24~12:43:42
Comments or suggestions? Contact us