Ummm... no. Wrong on both accounts. See Jeremy's post about source-routing for one method. The firewall rules are never bypassed, that's why you need rules to specifically allow "established" connections. It is also why when writing your rules you want to put those rules near the top so that established connections don't have to run the entire gamut of the ruleset to get an up/down vote on whether to accept. Now maybe some firewalls resort the rules to get this behavior, but I haven't seen this with any Linux software firewalls.
Brian --- David Nicol davidnicol@gmail.com wrote:
On 9/5/05, Jack quiet_celt@yahoo.com wrote:
read the RFCs, but IIRC once a connection is "established" it will bypass the router if that
makes
a shorter route. This is what you *want* to happen anyway, if your router is seperate from the
firewall.
If the firewall is compromised though, all bets
are
off. Of course, it's easy to test my hypothesis by running ethereal on the router, firewall and
client
pc.
Brian JD
what gets bypassed with established TCP connections is the firewall rules, as an optimization for reducing CPU load on firewall machines. That's TCP connections, not routes. Routes must involve routers unless there is direct connection, (or faking of direct connection through VPN bridging or something like that)