I was told access list rules in firewall apply only for traffic PASSING through the firewall and not for traffic originating in firewall. Is it correct? If so, when a host which is connected to 1 of the interface/subnet of firewall sends a DHCP discover message, it will be a broadcast message & will reach default gateway of that subnet which is applied on firewall. Default gateway will use DHCP relay & change source IP address as it’s own (default gateway IP) IP. So now traffic appears like it is originating in firewall. So access list rule is not required.
But if a L3 switch is connected to a firewall, then the L3 switch would already have changed the source IP address. So when packet comes to interface of firewall, again the source IP address might not change probably because packet is no longer a broadcast when it reaches firewall interface & this packet now has a source & destination IP address. So in this case, access list rules need to allow UDP 67 & 68. Am i correct?
No comments:
Post a Comment