3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide
126 CHAPTER 8: TRANSPARENT FIREWALL
By default, the firewall operates in route mode.
n
When operating in transparent mode, the firewall automatically enables bridging
function.
Configuring System IP
Address
On the firewall in route mode, all interfaces work at Layer 3 and you can configure
Layer 3 attributes for them. When the firewall is in transparent mode, all interfaces
operate at Layer 2 and you cannot configure such Layer 3 attributes as IP address
for them. The firewall must own an IP address for management over it and
offerings of network services (Telnet or SNMP). To solve this problem, you can
configure a system IP address, instead of interface IP address, for the transparent
firewall.
Perform the following configuration in system view.
The default system IP address of the transparent firewall is 169.0.0.1/8, and you
can modify its system IP with the firewall system-ip command. When in route
mode, you cannot configure system IP address for the firewall.
Enabling/Disabling
Dynamic ARP Learning
Communications between the intranet and outside networks must go through the
transparent firewall. ARP requests and responses are generated therefore when a
device accesses itself or originates a connection to an outside device. The
transparent can automatically learn ARP entries for later address translation.
Only limited ARP table entries are maintained on the firewall. When ARP Flood
attacks occur, the firewall may have too many ARP table entries and normal ARP
resolution processes will be affected. To avoid this problem, you can disable
dynamic ARP learning and manually configure static ARP entries.
Perform the following configuration in system view.
By default, ARP learning is enabled on the transparent firewall.
Configuring Handling
Approach for the
Packets with Unknown
MAC Address
Upon receiving the packets with unknown destination MAC address, the
transparent firewall cannot determine the outgoing interfaces for them. Therefore
it handle these packet in three ways:
■ Drops the IP packets with unknown destination MAC address.
■ Broadcasts the ARP request packet to the interfaces in a specific security zone
other than the interface receiving the packet, and drops the IP packets with
Tabl e 112 Configure system IP address
Operation Command
Configure system IP address for the firewall
firewall system-ip system-ip-address [
address-mask ]
Restore the default system IP address undo firewall system-ip
Tabl e 113 Enable/disable ARP learning
Operation Command
Enable dynamic ARP learning firewall arp-learning enable
Disable dynamic ARP learning undo firewall arp-learning enable