[OT]: Invisible firewalls (was Re: [Gllug] Opinions on Smoothwall and other firewalls)

Simon Stewart sms at lateral.net
Thu Oct 11 17:29:52 UTC 2001


We're staggering way off topic here. :)

On Thu, Oct 11, 2001 at 06:09:04PM +0100, tet at accucard.com wrote:
> 
> >Out of curiousity, would you mind explaining the reasons why not
> >decrementing the TTL is a Bad Thing, because I just don't see it?
> >What am I missing?[1] Surely, no-one in their right mind would be using
> >a totally invisible firewall for anything but being a firewall?
> 
> Consider a network with two (or more) transparent proxies or firewalls.
> Then consider when one of them has a flawed routing table, such that it
> routes traffic back to one of the other transparent devices rather than
> on to its correct destination. Because none of the devices in the routing
> loop are decrementing TTL, the packet lives forever. It doesn't take too
> long before your network is unable to cope with the volume of immortal
> packets bouncing backwards and forwards.

Okay, I see that if someone did something that pathologically daft
like that they'd be in for a whole world of pain, but why do they need
2 invisible firewalls? Surely the idea is that they sit on the
periphery of the network and just watch the traffic entering and
exiting the private network?

> No, this isn't purely theoretical. I've seen it happen in real life
> (although fortunately not on a network for which I was responsible).

I'm staggered. Didn't whoever it was that set up the invisible
firewalls test the config without using the "fastroute" option? Or did
the network topology change unexpectedly?

Cheers,

Simon

-- 
"My theory is that the (Internet) industry was started in
 large part by technologists rather than media people..."
            - Robin Webster, President, Interactive Advertising Bureau

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list