RE: Cisco 2611 as a firewall?

[Scott Stone <SStone@example.com>]

nah, that router won't be doing that much.  Besides, without PAT, it won't
scale very well.  And, putting in PAT would insure no servers would be
running on machines on the dial-in pool, since there would be no external
route to them.

-----------------------------------------------------
Scott M. Stone <sstone@example.com>
Senior Technical Consultant - UNIX and Networking
Taos, the Sysadmin Company - Santa Clara, CA


-----Original Message-----
From: Jonathan Q [mailto:jq@example.com]
Sent: Thursday, May 17, 2001 6:15 PM
To: tlug@example.com
Subject: Re: Cisco 2611 as a firewall?


Scott Stone (SStone@example.com) wrote:

> you still don't have to let all traffic in.  you have to let in pretty
much
> all UDP, and ICMP, but you don't have to let in all TCP SYN traffic, just
> TCP traffic with the RST/ACK bits set.  SYN packets are used to initiate
> connections, and you don't often need to do that on an inbound basis.

Often enough.  They'll need to be allowed for his smtp, pop, http, etc.
on his servers, and if he doesn't prohibit the operation of servers
in his dial pool (with a shoestring setup like his and only a T1
for an uplink, you can bet I would prohibit them; that network doesn't
have mucn in the way of resources to spare), then he need to allow it
there, too.

> One thing that concerns me about using a router as a firewall like this,
> though, is the issue of port address translation

Happily, he hasn't said anything about doing PAT, and that can of worms
would be best left unopened.  This is going to be one busy little
router, even without that.

Jonathan

-----------------------------------------------------------------------
Next Technical Meeting:  Sat, May 12 13:30- 
Next Nomikai Meeting:    Fri, June (TBA) 19:30- Tengu Tokyo Eki Mae
-----------------------------------------------------------------------
more info: http://www.tlug.gr.jp           Sponsor: Global Online Japan