Apparently you read just enough to see the heart of my problem. Thank You!
And yes, you are definitely correct that the presence of the multi-homed host on the firewalled subnet certainly has the *potential* to render the firewall useless... And just like the English language there seems to be an exception to every rule...
The multi-homed host is HPUX and gated has been disabled to hopefully reduce this potential. -- The multi-homed host is a necessary evil I need to work around.
Thanks again for your help AND thoughts,
From: Linus van Geuns [mailto:firstname.lastname@example.org]
Sent: Wednesday, February 23, 2011 9:26 AM
To: Love, Doug
Subject: Re: [Fwbuilder-discussion] fwbuilder, netfilter and asymetric routes
Hey "Love[,] Do[u]g", :-)
On Wed, Feb 23, 2011 at 5:01 PM, Love, Doug <email@example.com> wrote:
> More specifically I can see (via /proc/net/ip_conntrack) attempts from any lab-subnet host, XX.XX.XX.2, to the fw-subnet Multi-homed IF, YY.YY.YY.14. And on the Multi-homed host I can see that this connection attempt is received, but the corresponding ACK back is returned through the other IF, the lab-subnet IF, XX.XX.XX.203 to the originating XX.XX.XX.2. - This asymmetric route back (bypassing the firewall) causes the connection attempt (ssh, rsh, etc.) to appear hung because netfilter never sees the return response.
I didn't read all the details, but sounds like you want the firewall rules applying to your multi-homed host situation to be stateless.
You can switch to stateless firewalling on a per rule basis using fwbuilder - I think it's somewhere in "Options".
Alternatively you could do the firewallig on the multi-homed host itself.
You should evaluate, whether your rules for firewalling the dual-homed situation are rendered useless by that multi-homed host accepting incoming traffic for all it's IP addresses w/o considering the input interface.
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
Fwbuilder-discussion mailing list