--- David Nicol wrote:
Now an intelligent ip protocol will bypass the
router
once it has found the gateway, so traffic only
goes
through the router the first time. Correct me if
I'm
wrong in any of this. I don't see the internet
gateway
in the description of the LAN anywhere, so I've assumed that the firewall is the gateway. I see
only
the firewall with a local address connected to the cable modem, which I don't think will work the way described. Something here has to be connected to
two
networks (LAN & internet).
Brian JD
the piece of the puzzle that appears absent from your communicated understanding of the situation in discussion is that the box that is talking to the internet is doing network address translation, so even an IP stack that would bypass a hop if it can will do no such thing.
That's an incorrect conclusion. The place where NAT will happen is only on the firewall, unless the router is also running a firewall. I didn't see that in the specs of the network in question. While the NAT machine is going to translate the local address, and there really is no way to skip the firewall (if the network is configured properly), I was stating that the router isn't part of the communications after the initial connection. Depending on the rules in the firewall, it is possible to prevent any outgoing packet from any location other than the router, however, this may break connections. I think that a route can only prevent "initial" connections coming from any pc other than the router. I'd have to go and read the RFCs, but IIRC once a connection is "established" it will bypass the router if that makes a shorter route. This is what you *want* to happen anyway, if your router is seperate from the firewall. If the firewall is compromised though, all bets are off. Of course, it's easy to test my hypothesis by running ethereal on the router, firewall and client pc.
Brian JD
______________________________________________________ Click here to donate to the Hurricane Katrina relief effort. http://store.yahoo.com/redcross-donate3/