routing problem - fork on gateways

Jack quiet_celt at yahoo.com
Mon Sep 5 21:56:05 CDT 2005 

--- David Nicol wrote:

> > Now an intelligent ip protocol will bypass the
> router
> > once it has found the gateway, so traffic only
> goes
> > through the router the first time. Correct me if
> I'm
> > wrong in any of this. I don't see the internet
> gateway
> > in the description of the LAN anywhere, so I've
> > assumed that the firewall is the gateway. I see
> only
> > the firewall with a local address connected to the
> > cable modem, which I don't think will work the way
> > described. Something here has to be connected to
> two
> > networks (LAN & internet).
> > 
> > Brian JD
> 
> the piece of the puzzle that appears absent from
> your communicated
> understanding of the situation in discussion is that
> the box that
> is talking to the internet is doing network address
> translation, so
> even an IP stack that would bypass a hop if it can
> will do no such
> thing.
That's an incorrect conclusion. The place where NAT
will happen is only on the firewall, unless the router
is also running a firewall. I didn't see that in the
specs of the network in question. While the NAT
machine is going to translate the local address, and
there really is no way to skip the firewall (if the
network is configured properly), I was stating that
the router isn't part of the communications after the
initial connection. Depending on the rules in the
firewall, it is possible to prevent any outgoing
packet from any location other than the router,
however, this may break  connections. I think that a
route can only prevent "initial" connections coming
from any pc other than the router. I'd have to go and
read the RFCs, but IIRC once a connection is
"established" it will bypass the router if that makes
a shorter route. This is what you *want* to happen
anyway, if your router is seperate from the firewall.
If the firewall is compromised though, all bets are
off. Of course, it's easy to test my hypothesis by
running ethereal on the router, firewall and client
pc. 

Brian JD


	
		
______________________________________________________
Click here to donate to the Hurricane Katrina relief effort.
http://store.yahoo.com/redcross-donate3/

More information about the Kclug mailing list