Dynamic routing on firewalls.

Mon Feb 9 15:25:45 UTC 2015

On Mon, 09 Feb 2015 12:56:37 -0200, Patrick Tracanelli said:
> > On 09/02/2015, at 12:14, Valdis.Kletnieks at vt.edu wrote:
> > On Mon, 09 Feb 2015 11:54:04 -0200, Patrick Tracanelli said:
> >> On a bridged firewall you can have the behavior you want, whatever it is. Passing packets with firewall is down, but the box still up.
> >
> > Owen's point is that passing packets if the firewall is down is really poor
> > security-wise.   If you run in that configuration, I simply DoS your firewall
> > (probably from one set of IP addresses), and then once it has fallen over and
> > is being bypassed, I send my *real* malicious traffic from some other IP
> > address, totally uninspected and unhindered.  Much hilarity, hijinks, and
> > pwnage ensues.
>
> Hello Valdis,
>
> If this is really the point, I donâ€™t know what system you are talking about

The one *you* mentioned - "passing packets with firewall is down".  Owen
was pointing out that is a silly configuration:

On 08/02/2015, at 22:48, Owen DeLong <owen at delong.com> wrote:
> Technically true, but bridged firewalls are pretty much passe these days in the
> real world. As a general rule, when the firewall is shut down, one usually
> doesnâ€™t want the packets flowing past un-hindered. The fact that this is kind
> of the default of what happens with bridged firewalls is just one of the many
> reasons hardly anyone still uses such a thing.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150209/38b55178/attachment.sig>