Receive/Transmit

I recently read this post on Ivan Pepelnjak’s blog, where he discusses a pretty intense debate about whether or not firewalls are actually any good. The area where people are claiming they aren’t is in front of servers. One of the main benefits of a firewall is stateful packet inspection – the firewall monitors what connections are taking place and dynamically opens ports to let permitted return traffic through. However one opinion is that since all packets to a server are unsolicited, stateful tracking is useless and you should instead stick with basic routers and access lists (which don’t fall down as easily in the event of  a DoS/DDoS). I suppose this opinion is talking of servers in the classical sense, where they only ever take inbound connections and don’t initiate outbound ones. Its very interesting reading, especially the comments.

For my part I don’t deal with set ups big enough to hit some of the limits they are discussing but it’s certainly thought provoking. Most people’s standard response is that you should have a firewall in front of everything, but after following the discussion I’m now not so sure

This little problem had me scratching my head for a while, and as usual the solution is pretty simple. The scenario is that you have some kind of link from an ISP with static addresses. At some point you have outgrown your original assignment and have requested a new block, which the ISP has set up at their end. You want NAT an address on the new external subnet to an internal address as shown below. Now on a PIX or ASA you just set up the NAT rules and everything works, but in IOS things are a little more subtle. First the diagram and relevant initial configs. Note that the customer router only has an external IP on the first subnet – in our case this was due to a lack of spare addresses:

(continue reading…)