W2K Firewall That Can Route Outbound Packets on Same Inter..

Archived from groups: comp.security.firewalls (More info?)

I'm looking for a firewall or router that will run on Windows 2000 that can
route packets out on the same interface they arrived on, or could apply
different routing tables based on the interface to which a packet arrives.
This is to support a mail server which we want to connect to two ISP
networks. We don't want a default outgoing route on any one interface,
which is what Windows 2000's IP implementation requires.

If this is not available for Windows, is it available for any UNIX
implementation?

--
Will
westes AT earthbroadcast.com
6 answers Last reply
More about firewall route outbound packets inter
  1. Archived from groups: comp.security.firewalls (More info?)

    http://www.cyberguard.com/snapgear/products.html

    I'd suggest using a hardware solution.
    Do you really want to trust your security to microsoft?
    I sure wouldn't.....
  2. Archived from groups: comp.security.firewalls (More info?)

    I am not using this firewall as a "firewall". I'm using this firewall as a
    way to replace the default IP stack in Windows with one that gives me the
    desired routing behavior I seek.

    Based on this I assume Cyberguard is not a solution to my problem, because I
    cannot run my application on the Cyberguard box. Morever, it's not clear
    that Cyberguard would return packets on the same interface on which they
    arrived.

    The application and box we are trying to find an alternative IP stack for is
    behind a firewall and an additional NAT layer, and moreover only our service
    provider's selected hosts can contact it. I have few security concerns
    about it. My problem is how do I get it to simultaneously converse with
    two different ISP networks without having return packets go to a single
    ISP's network.

    --
    Will
    westes AT earthbroadcast.com


    "DaveT" <bgates@sbcglobal.net> wrote in message
    news:2YWpc.27498$eq2.10043@newssvr22.news.prodigy.com...
    > http://www.cyberguard.com/snapgear/products.html
    >
    > I'd suggest using a hardware solution.
    > Do you really want to trust your security to microsoft?
    > I sure wouldn't.....
    >
    >
    >
  3. Archived from groups: comp.security.firewalls (More info?)

    On Mon, 17 May 2004 04:11:42 GMT, DaveT spoketh

    >http://www.cyberguard.com/snapgear/products.html
    >
    >I'd suggest using a hardware solution.
    >Do you really want to trust your security to microsoft?
    >I sure wouldn't.....
    >

    Firewalls running on Microsoft platforms are just as secure as firewalls
    running on any other platform...

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  4. Archived from groups: comp.security.firewalls (More info?)

    From the requirements you mentioned. What you are looking for is a
    "persistant" or "Sticky" session. Server Persistance and/or client
    Persistance for sessions is required if you are using MEP (multi entry
    protocols) for redundant connections.

    I know that CheckPoint has it. As far as using different ISP as carrier
    providors. What you need to do is configure fail over or High availablity
    that will sense a failure on the primary connection and failover to the
    secondary connection in case of failure.
    "CHANGE USERNAME TO westes" <DELETE_westes@earthbroadcast.com> wrote in
    message news:0M2dneKSTtvNhzXdRVn-sw@giganews.com...
    > I'm looking for a firewall or router that will run on Windows 2000 that
    can
    > route packets out on the same interface they arrived on, or could apply
    > different routing tables based on the interface to which a packet arrives.
    > This is to support a mail server which we want to connect to two ISP
    > networks. We don't want a default outgoing route on any one interface,
    > which is what Windows 2000's IP implementation requires.
    >
    > If this is not available for Windows, is it available for any UNIX
    > implementation?
    >
    > --
    > Will
    > westes AT earthbroadcast.com
    >
    >


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.686 / Virus Database: 447 - Release Date: 5/14/2004
  5. Archived from groups: comp.security.firewalls (More info?)

    Checkpoint has persistence of sessions, but under Windows 2000 Checkpoint
    does NOT implement the behavior of sending outbound packets on the same
    interfaces they arrived. Checkpoint only modifies the headers of the IP
    packet, and then it passes the packet to standard Windows networking.
    Windows networking in turn only recognizes one default outgoing route.

    Regarding failover, you are looking at the problem backwards. I'm not
    trying to configure a behavior for sessions that are initiated on our side.
    Our mail host will be seen through its public MX records as being two
    separate MX hosts with two separate IP addresses on different networks.
    So the case I care about is where an outside mail server initiates a
    connection into us on different ISP networks. I need to make sure that the
    packets return back on the same interface they arrived.

    --
    Will
    westes AT earthbroadcast.com

    "Beoweolf" <Beoweolf@pacbell.net> wrote in message
    news:WEdqc.50046$OB4.23079@newssvr29.news.prodigy.com...
    > From the requirements you mentioned. What you are looking for is a
    > "persistant" or "Sticky" session. Server Persistance and/or client
    > Persistance for sessions is required if you are using MEP (multi entry
    > protocols) for redundant connections.
    >
    > I know that CheckPoint has it. As far as using different ISP as carrier
    > providors. What you need to do is configure fail over or High availablity
    > that will sense a failure on the primary connection and failover to the
    > secondary connection in case of failure.
    > "CHANGE USERNAME TO westes" <DELETE_westes@earthbroadcast.com> wrote in
    > message news:0M2dneKSTtvNhzXdRVn-sw@giganews.com...
    > > I'm looking for a firewall or router that will run on Windows 2000 that
    > can
    > > route packets out on the same interface they arrived on, or could apply
    > > different routing tables based on the interface to which a packet
    arrives.
    > > This is to support a mail server which we want to connect to two ISP
    > > networks. We don't want a default outgoing route on any one interface,
    > > which is what Windows 2000's IP implementation requires.
    > >
    > > If this is not available for Windows, is it available for any UNIX
    > > implementation?
    > >
    > > --
    > > Will
    > > westes AT earthbroadcast.com
    > >
    > >
    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.686 / Virus Database: 447 - Release Date: 5/14/2004
    >
    >
  6. Archived from groups: comp.security.firewalls (More info?)

    Appears I misunderstood your problem, your explaination of what you are
    attempting to do makes it clear that you do have a handle on the problem. I
    will anxiously monitor this thread to see what the eventual solution ends up
    being.

    "CHANGE USERNAME TO westes" <DELETE_westes@earthbroadcast.com> wrote in
    message news:nZOdnVy5NcPRpDfdRVn-sw@giganews.com...
    > Checkpoint has persistence of sessions, but under Windows 2000 Checkpoint
    > does NOT implement the behavior of sending outbound packets on the same
    > interfaces they arrived. Checkpoint only modifies the headers of the IP
    > packet, and then it passes the packet to standard Windows networking.
    > Windows networking in turn only recognizes one default outgoing route.
    >
    > Regarding failover, you are looking at the problem backwards. I'm not
    > trying to configure a behavior for sessions that are initiated on our
    side.
    > Our mail host will be seen through its public MX records as being two
    > separate MX hosts with two separate IP addresses on different networks.
    > So the case I care about is where an outside mail server initiates a
    > connection into us on different ISP networks. I need to make sure that
    the
    > packets return back on the same interface they arrived.
    >
    > --
    > Will
    > westes AT earthbroadcast.com
    >
    > "Beoweolf" <Beoweolf@pacbell.net> wrote in message
    > news:WEdqc.50046$OB4.23079@newssvr29.news.prodigy.com...
    > > From the requirements you mentioned. What you are looking for is a
    > > "persistant" or "Sticky" session. Server Persistance and/or client
    > > Persistance for sessions is required if you are using MEP (multi entry
    > > protocols) for redundant connections.
    > >
    > > I know that CheckPoint has it. As far as using different ISP as carrier
    > > providors. What you need to do is configure fail over or High
    availablity
    > > that will sense a failure on the primary connection and failover to the
    > > secondary connection in case of failure.
    > > "CHANGE USERNAME TO westes" <DELETE_westes@earthbroadcast.com> wrote in
    > > message news:0M2dneKSTtvNhzXdRVn-sw@giganews.com...
    > > > I'm looking for a firewall or router that will run on Windows 2000
    that
    > > can
    > > > route packets out on the same interface they arrived on, or could
    apply
    > > > different routing tables based on the interface to which a packet
    > arrives.
    > > > This is to support a mail server which we want to connect to two ISP
    > > > networks. We don't want a default outgoing route on any one
    interface,
    > > > which is what Windows 2000's IP implementation requires.
    > > >
    > > > If this is not available for Windows, is it available for any UNIX
    > > > implementation?
    > > >
    > > > --
    > > > Will
    > > > westes AT earthbroadcast.com
    > > >
    > > >
    > >
    > >
    > > ---
    > > Outgoing mail is certified Virus Free.
    > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > Version: 6.0.686 / Virus Database: 447 - Release Date: 5/14/2004
    > >
    > >
    >
    >


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.686 / Virus Database: 447 - Release Date: 5/14/2004
Ask a new question

Read More

Firewalls Windows 2000 Networking