routing problem - fork on gateways
Jack
quiet_celt at yahoo.com
Tue Sep 6 17:07:34 CDT 2005
Ummm... no. Wrong on both accounts.
See Jeremy's post about source-routing for one method.
The firewall rules are never bypassed, that's why you
need rules to specifically allow "established"
connections. It is also why when writing your rules
you want to put those rules near the top so that
established connections don't have to run the entire
gamut of the ruleset to get an up/down vote on whether
to accept. Now maybe some firewalls resort the rules
to get this behavior, but I haven't seen this with any
Linux software firewalls.
Brian
--- David Nicol <davidnicol at gmail.com> wrote:
> On 9/5/05, Jack <quiet_celt at yahoo.com> wrote:
>
>
> > read the RFCs, but IIRC once a connection is
> > "established" it will bypass the router if that
> makes
> > a shorter route. This is what you *want* to happen
> > anyway, if your router is seperate from the
> firewall.
> > If the firewall is compromised though, all bets
> are
> > off. Of course, it's easy to test my hypothesis by
> > running ethereal on the router, firewall and
> client
> > pc.
> >
> > Brian JD
>
> what gets bypassed with established TCP connections
> is the firewall rules, as an optimization for
> reducing CPU load
> on firewall machines. That's TCP connections, not
> routes.
> Routes must involve routers unless there is direct
> connection,
> (or faking of direct connection through VPN
> bridging or something
> like that)
>
More information about the Kclug
mailing list