Re: [fw-wiz] Firewall routing thought...
From: Gwendolynn ferch Elydyr (gwen_at_reptiles.org)
Date: 07/09/04
- Previous message: Dana Nowell: "Re: [fw-wiz] Firewall routing thought..."
- In reply to: Dana Nowell: "Re: [fw-wiz] Firewall routing thought..."
- Next in thread: Mark: "Re: [fw-wiz] Firewall routing thought..."
- Reply: Mark: "Re: [fw-wiz] Firewall routing thought..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Dana Nowell <DanaNowell@cornerstonesoftware.com> Date: Thu, 8 Jul 2004 19:17:27 -0400 (EDT)
On Thu, 8 Jul 2004, Dana Nowell wrote:
> Aaahhhh, if they are on the same subnet, why is the gateway involved at
> all? Last time I checked, 10.1.1.1 (assume mask 255.255.255.0) talked
> directly to 10.1.1.2, no gateway in the middle. There is an automagic
> 'static route' that says 10.1.1.x is local to the segment.
To quote myself:
"... as soon as you make a change in broadcast domains, the router is
going to be involved"
I'm quite sure that your machine, at 10.1.1.1/24 somewhere in New Hampshire
isn't talking directly to my machine, at 10.1.1.2/24 somewhere in Ontario ;>
If instead, both of our machines were sitting at a conference together,
connected to the [ethernet] switch in front of us, then yes - you'd
expect that they'd be able to communicate directly - although not quite
as you describe.
-For ethernet- it's accurate to say that "all hosts in the same broadcast
domain are able to use ARP to translate IP addresses to link layer
addresses (MAC addresses) and vice versa, to allow direct communication
within that broadcast domain". It's disingenious to describe it as
an "automagic static route".
It's also not true for all networking technologies.
At any rate, this really boils down to "without knowing what the
network of the original poster looks like, it's dangerous to
make presumptions".
Speaking of making presumptions, I've just realized, reading back over
the OP's email, still more closely, that his concern is routing the
networks that the firewalls are protecting, not between the firewalls
per se, which makes most of this email a tangent.
What he's really asking is whether it makes more sense to establish
and maintain [static] routing tables on his firewalls, rather than
set a default route, and let the router sort out what networks are
where.
In terms of performance, almost all firewalls handle routing decisions in
software. The router handles the same decisions in hardware. The router
is going to be faster[0]. It's the difference between taking the freeway
or the back roads to a given location, presuming traffic conditions are
clear.
cheers!
[0] This is the general case - I'm sure the list members can come up with
ways to speed up software, and slow down hardware.
> On Tue, 6 Jul 2004 13:50:18 -0400 (EDT) Gwendolynn ferch Elydyr penned:
> >On Fri, 2 Jul 2004, Eric Appelboom wrote:
> >> If one has firewall A with external ip on the same subnet as firewall B.
> >> How common is the practice of adding static routes on firewall A for The
> >> networks protected by firewall B and the other way round.
> >>
> >> Would this technique not lower the latency or overheads of not having the
> >> packets en route from firewall A to firewall B being sent to its default
> >> gateway to then be processed by the router and sent to firewall B. Thus the
> >> traffic would be direct A<-->B
> >
> >I think you're a bit confused about how routing/routers work, and what
> >the relative "costs" are.
> >
> >Your network layout isn't really clear from your email, but as soon as
> >you make a change in broadcast domains, the router is going to be involved.
> >
> >> Besides being a tad messy would it be considered and at what traffic rate?
> >
> >Well - I generally wouldn't consider it at any traffic rate.
> >
> >First of all, it's not likely to improve your latency or overhead. The
> >packets are still going to be seen by the router.
> >
> >Secondly, you've now added complexity to your network in the form of a
> >bunch of static routes in different places, all of which need to be
> >maintained - and almost certainly won't be, until some changes breaks
> >things.
> >
> >"a tad messy" is almost always a signal to run away screaming. That's
> >code for "unmaintainable" and "all-nighters".
> >
> >Ranting briefly, a good design should be clear and easy to understand
> >and explain. If you find yourself handwaving, or muttering quickly to
> >get past some point in your design [or adding in "here be dragons"],
> >you should stop and figure out why.
>
> --
> Dana Nowell Cornerstone Software Inc.
> Voice: 603-595-7480 Fax: 603-882-7313
> email: DanaNowell_at_CornerstoneSoftware.com
>
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Dana Nowell: "Re: [fw-wiz] Firewall routing thought..."
- In reply to: Dana Nowell: "Re: [fw-wiz] Firewall routing thought..."
- Next in thread: Mark: "Re: [fw-wiz] Firewall routing thought..."
- Reply: Mark: "Re: [fw-wiz] Firewall routing thought..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
