[166937] in North American Network Operators' Group
Re: Dynamic routing through firewall
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed Nov 20 19:44:35 2013
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 21 Nov 2013 00:44:13 +0000
In-Reply-To: <1A5C3257AD8D4946A4B497A6FAF501743C457A2A11@EXCH07-01.apollogrp.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Nov 21, 2013, at 4:21 AM, Cliff Bowles <cliff.bowles@apollogrp.edu> wrot=
e:
> Finally, if you tried one of the options and it was terrible, please expl=
ain.
They're all terrible, heh.
Get the firewalls out of the picture:
<https://app.box.com/s/a3oqqlgwe15j8svojvzl>
Stateful firewalls should not be placed in front of servers, and should not=
be interposed between eBGP peers. Whatever access policies are necessary =
should be expressed in stateless ACLs, as there's no point in putting a sta=
teful inspection device in front of a server which receives unsolicited com=
munications, and many reasons for not doing so.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
