nanog mailing list archives

Re: I don't need no stinking firewall!

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Sun, 10 Jan 2010 10:45:47 +0000


On Jan 10, 2010, at 3:48 PM, James Hess wrote:

Firewalls do not need to build a state entry for
partial TCP sessions,  there are a few different  things that can be
done,  such as  the firewall answering on behalf of the server (using
SYN cookies) and negotiating connection with the server after the
final ACK.


The firewall capacity for doing this can be easily overwhelmed; and again, well-formed traffic can simply 'crowd out' 
good traffic.  The other drawbacks of the stateful firewall further outweigh even this negligible benefit.

Fronting one's Web server farms/load-balancers with a tier of transparent reverse-proxy caches is a better way to scale 
TCP connection capacity, as well as the myriad other benefits offered (described earlier in this thread).

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

Current thread:

RE: I don't need no stinking firewall!, (continued)
- - - RE: I don't need no stinking firewall! George Bonser (Jan 10)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
    - RE: I don't need no stinking firewall! George Bonser (Jan 10)
    - Re: I don't need no stinking firewall! Warren Kumari (Jan 13)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 13)
    - Re: I don't need no stinking firewall! Bill Stewart (Jan 14)
    - Re: I don't need no stinking firewall! Joe Maimon (Jan 14)
    - Re: I don't need no stinking firewall! Valdis . Kletnieks (Jan 08)
    - Re: I don't need no stinking firewall! Joe Greco (Jan 08)
    - Re: I don't need no stinking firewall! James Hess (Jan 10)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
    - Re: I don't need no stinking firewall! William Herrin (Jan 10)
    - Re: I don't need no stinking firewall! William Herrin (Jan 10)
    - Re: I don't need no stinking firewall! James Hess (Jan 10)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
    - Re: I don't need no stinking firewall! Joe Greco (Jan 10)
    - Re: I don't need no stinking firewall! Joel Jaeggli (Jan 08)
    - Re: I don't need no stinking firewall! Mark Smith (Jan 06)
    - Re: I don't need no stinking firewall! William Pitcock (Jan 05)
    - Re: I don't need no stinking firewall! Joe Greco (Jan 06)
    - Re: I don't need no stinking firewall! Ryan Brooks (Jan 05)

(Thread continues...)