Re: [SLUG] worth of firewall-in-a-box hubs?

From: Paul M Foster (paulf@quillandmouse.com)
Date: Sun Mar 31 2002 - 13:58:48 EST

Next message: Paul Braman: "Re: [SLUG] Convert ASCII to binary?"
Previous message: Greg Schmidt: "Re: [SLUG] Convert ASCII to binary?"
In reply to: Paul Braman: "Re: [SLUG] worth of firewall-in-a-box hubs?"
Next in thread: Paul Braman: "Re: [SLUG] worth of firewall-in-a-box hubs?"
Reply: Paul Braman: "Re: [SLUG] worth of firewall-in-a-box hubs?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Sun, Mar 31, 2002 at 08:14:39AM -0500, Paul Braman wrote:

>
> Okay, for those that have them up and running, a few questions...
>
> What do I set as the DNS server for the machines on the LAN? Ideally, I
> shouldn't have to set it to Road Runner's DNS servers because they are
> configured via DHCP and the IP address might change. Would I point it at
> the gateway itself and have it forward the request?
>

Can't help you here. I use /etc/hosts for names, since there are only
three machines turned on on the LAN. I only dhcpcd for getting my IP
from Verizon.

> I've actually read one of these gateways configures its internal time via
> NTP, but my question is whether it may server as an NTP source for the LAN
> (for those of you who have one of these gateways)?
>
> When the firewall is going its NAT thing, how does it know when the
> internal machine is "done"? The internal machine will send out a packet
> and wait for a reply, and the firewall will accept the reply and forward
> it to the internal machine. However, if there is too long of a delay, the
> internal machine might have moved on to bigger and better things and now
> the return packet is indistinguishable from a random probe. At what point
> will the firewall not do this forwarding? (This is more of a technical
> question about how firewalls work in general...I'm really curious.)
>

This depends on whether you're doing "stateful" routing or not. With
ipchains, it doesn't matter, since the machine doesn't keep track of
whether a given packet is received in reply to one sent. With ipfilter,
you can enable stateful routing, in which case, it will track response
packets. As for a time limit, I never heard the question asked before.

Of course, that begs a different question. Since, even with ipchains,
packets come to the internet IP, how does the router know which LAN
machine to route the packet to? I assume that the MAC address of the NIC
is involved or something. Bottom line is that I assume that there is
something in the answer packets that gives a clue (besides the
non-routable IP of the LAN machine) to where a packet gets routed. If
that's the case, then the question of "how long" the firewall waits is
moot.

Paul

Next message: Paul Braman: "Re: [SLUG] Convert ASCII to binary?"
Previous message: Greg Schmidt: "Re: [SLUG] Convert ASCII to binary?"
In reply to: Paul Braman: "Re: [SLUG] worth of firewall-in-a-box hubs?"
Next in thread: Paul Braman: "Re: [SLUG] worth of firewall-in-a-box hubs?"
Reply: Paul Braman: "Re: [SLUG] worth of firewall-in-a-box hubs?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:02:53 EDT