LISTSERV - HP3000-L Archives

HP3000-L Archives

June 2002, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L June 2002, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Gateway
From:	Patrick Santucci <[log in to unmask]>
Reply To:	Patrick Santucci <[log in to unmask]>
Date:	Sat, 22 Jun 2002 01:16:38 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (55 lines)

Rick asks,

> What can we do to prevent the HP from picking the firewall as a
> gateway? We were thinking of creating an access-list for the router
> to deny all traffic from the HP to the firewall (except ftp). Is
> this do-able? Will this solve the problem?

Probably not, if the access list is on the firewall router.

> Will changing the default gateway on the HP from @ to specific
> router ip's prevent this?

Nope. BTDT, it didn't help. Actually, you identified the problem, and it's
not with the 3000:

> Our default gateway (10.1.1.1) currently routes all unknown
> (external) traffic to 10.1.1.29

I've had similar gateway problems here. It happens because the HP3000 is so
"good" about handling redirect messages from the default gateway. The
problem is one of assumptions: the network admin assumes that all "unknown"
traffic must be "external" to the WAN, i.e. Internet traffic. So s/he
configures the default router to do just that. But when a WAN connection
drops, the default router treats it the same way: it redirects it to the
firewall, sending a redirect message to the 3000 at the same time. It
doesn't seem to matter whether the failed request was an address that's
illegal in public IP space; the router is doing what it was told. :-(

The only lasting solution I've found was not on the 3000 side (because as I
said the problem is not with the 3000), but it does work, if you can get
your networking people to do it.

Because your firewall router (10.1.1.29) is defined as the "gateway of last
resort" in your default router (10.1.1.1), you need to have your network
people set up rules *on the default router* such that any failed requests
originating from the 3000 *don't* get forwarded to the firewall, even if
they fail. This may or may not be easy to do, depending on the router config
software, but it's usually possible.

As an alternative, they may need to add rules to the default router so IP
addresses that are never supposed to go through the firewall (like 10.x.x.x
addresses) don't.

Hope this helps,
Patrick
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Patrick Santucci
HP e3000 Systems Administrator
Computer Operations Team Lead
Networking Services Department
Cornerstone Brands, Inc.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU