RE: Newbie question - IP routing through a firewall

[Peter Mayne <Peter.Mayne () digital com>]

The AltaVista Firewall for UNIX has packet-forwarding enabled by default.

There are (at least) two reasons for this.

1) screend is used to block all packet forwarding (by default). This
provides better logging of attempts to route packets through the firewall
than turning off routing altogether.

2) If you *do* need to route packets from one side to the other (for
instance, awkward things like DCOM/RPC or rsh tend not to be proxyable),
it's easy to do. If you don't have packet forwarding and you don't have a
proxy, what do you do?

PJDM
----
Peter Mayne, Digital Equipment Corporation (Australia), Canberra, ACT
These are my opinions, and have nothing to do with Digital.
"Forgive my long delay in writing, but I have been simply overwhelmed with
work."
    - Letter from Miss Mina Murray to Miss Lucy Westenra; Dracula, Bram
Stoker

> -----Original Message-----
> From: Kjell Wooding 
> Sent: Tuesday, June 02, 1998 1:21 AM
> To:   firewall-wizards () nfr net
> Subject:      Re: Newbie question - IP routing through a firewall
>
>
> > > I've read you shouldn't have IP Routing enabled in the firewall, that's
> >
> > That's dependant on the type of firewall, packet-level (yep) or
> application
> > level (nope).
>
> Hm? Seems to me you should have IP forwarding DISabled, and the firewall
> should be responsible for forwarding all traffic (Even in a packet
> filtering environment). If the kernel can forward packets across
> interfaces, you're asking for trouble. (Firewall gets disabled or
> otherwise, OS happily forwards ALL packets. Not the situation you want to
> see)
>
> -kj
> --
> Kjell Wooding <kwooding () codetalker com>
> Codetalker Communications, Inc.
>
> http://www.codetalker.com/