nanog mailing list archives
Re: Dynamic routing through firewall
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Thu, 21 Nov 2013 00:44:13 +0000
On Nov 21, 2013, at 4:21 AM, Cliff Bowles <cliff.bowles () apollogrp edu> wrote:
Finally, if you tried one of the options and it was terrible, please explain.
They're all terrible, heh. Get the firewalls out of the picture: <https://app.box.com/s/a3oqqlgwe15j8svojvzl> Stateful firewalls should not be placed in front of servers, and should not be interposed between eBGP peers. Whatever access policies are necessary should be expressed in stateless ACLs, as there's no point in putting a stateful inspection device in front of a server which receives unsolicited communications, and many reasons for not doing so. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Current thread:
- Dynamic routing through firewall Cliff Bowles (Nov 20)
- Re: Dynamic routing through firewall Dobbins, Roland (Nov 20)