Re: [fw-wiz] Firewall routing thought...
From: Dana Nowell (DanaNowell_at_cornerstonesoftware.com)
Date: 07/08/04
- Previous message: Devdas Bhagat: "Re: [fw-wiz] Firewall routing thought..."
- Maybe in reply to: Eric Appelboom: "[fw-wiz] Firewall routing thought..."
- Next in thread: Gwendolynn ferch Elydyr: "Re: [fw-wiz] Firewall routing thought..."
- Reply: Gwendolynn ferch Elydyr: "Re: [fw-wiz] Firewall routing thought..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: eric@mweb.com, gwen@reptiles.org Date: Thu, 08 Jul 2004 16:48:06 -0400
Aaahhhh, if they are on the same subnet, why is the gateway involved at
all? Last time I checked, 10.1.1.1 (assume mask 255.255.255.0) talked
directly to 10.1.1.2, no gateway in the middle. There is an automagic
'static route' that says 10.1.1.x is local to the segment.
On Tue, 6 Jul 2004 13:50:18 -0400 (EDT) Gwendolynn ferch Elydyr penned:
>On Fri, 2 Jul 2004, Eric Appelboom wrote:
>> If one has firewall A with external ip on the same subnet as firewall B.
>> How common is the practice of adding static routes on firewall A for The
>> networks protected by firewall B and the other way round.
>>
>> Would this technique not lower the latency or overheads of not having the
>> packets en route from firewall A to firewall B being sent to its default
>> gateway to then be processed by the router and sent to firewall B. Thus the
>> traffic would be direct A<-->B
>
>I think you're a bit confused about how routing/routers work, and what
>the relative "costs" are.
>
>Your network layout isn't really clear from your email, but as soon as
>you make a change in broadcast domains, the router is going to be involved.
>
>> Besides being a tad messy would it be considered and at what traffic rate?
>
>Well - I generally wouldn't consider it at any traffic rate.
>
>First of all, it's not likely to improve your latency or overhead. The
>packets are still going to be seen by the router.
>
>Secondly, you've now added complexity to your network in the form of a
>bunch of static routes in different places, all of which need to be
>maintained - and almost certainly won't be, until some changes breaks
>things.
>
>"a tad messy" is almost always a signal to run away screaming. That's
>code for "unmaintainable" and "all-nighters".
>
>Ranting briefly, a good design should be clear and easy to understand
>and explain. If you find yourself handwaving, or muttering quickly to
>get past some point in your design [or adding in "here be dragons"],
>you should stop and figure out why.
-- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Devdas Bhagat: "Re: [fw-wiz] Firewall routing thought..."
- Maybe in reply to: Eric Appelboom: "[fw-wiz] Firewall routing thought..."
- Next in thread: Gwendolynn ferch Elydyr: "Re: [fw-wiz] Firewall routing thought..."
- Reply: Gwendolynn ferch Elydyr: "Re: [fw-wiz] Firewall routing thought..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
