Static routes on AIX 3.2.2 firewall machine
ITEM: RTA000154815
Q:
Topic thread:
RALEIGH NETWORKING SUPPORT CENTER (RALY - NA/ATS)
IBM COMMERCEPOINT
IBM eNetwork Firewall V3.2 for AIX
Generally speaking, should the routing tables(static or dynamic) on a
firewall machine be keep to a minimum? If so is it advisable not to run
routed on the firewall machine? Also, on firewall machine it makes more
sense to me to use the router on the public side as the default router.
Any reasons not to this?
Thanks for your help....
A:
Hi Robert,
Yes, it is good to keep your routing tables to a minimum. In fact,
the more work you can take off the firewall, the better the performance
of the firewall will be.
And to your second question - I completely agree. The router on
the public side of the firewall should be set up as the default router.
That is a very common set-up for routers and actually can once again
help to minimize the processing done at the firewall as the router
can do some IP filtering of its own.
Thanks for using ASKQ.
Q:
My question may be more of a routing question. It might be better to
talk to you to explain. But I will try to be more specific. My
customer's current firewall uses the public address as the default.
As a result of this they had to add a lot of static routes to allow
their private machines traffic to flow to and from the internet.
This has caused them problems when Firewall machine has been restarted.
If they change the default to the private side, will this alleviate
the need to have private static address on the firewall? And if they do
this, will the traffic to the internet flow properly?
If they change the default to the private side, will this alliviate
the need to have static address on the firewall? And if they do
this will the traffic to the internet flow properly?
Also, should you run a dynamic routing protocol on the firewall?
Why or why not?
Thanks for you help..
A:
Hi Robert,
The public address (the external NIC card) is the correct address
for your customer to be using. This masks any internal network
information from anyone on the Internet. Two issues on changing their
default ip address to the private side; 1). This becomes an 'open door'
for someone to be able to 'fake out' the firewall and allow them to
potentially get into the trusted network. It basically defeats the
purpose of having the firewall. Secondly (I'm assuming your customer
is using NAT when you refer to 'private static addresses'), the
enterpirse would *still* need valid registered IP addresses to get out
to the Internet. Without those 'private static addresses', they will
not get access to the Internet.
Re: the question on dynamic routing protocol - I have left a phone
mail message for on of the router guys here in my building as this
is more of a router question. I'll provide feedback to you via this
PMR as soon as I hear from him. In the mean time, you might want to
see if you can find a 'router queue' in View Blue and ask that question
as well.
Thanks for using ASKQ¢
WWQA: ITEM: RTA000154815 ITEM: RTA000154815
Dated: 02/1999 Category: FIREWAIX
This HTML file was generated 99/06/24~12:43:42
Comments or suggestions?
Contact us