Sometimes Ken I think you are reading my mind.
On 11/9/2015 3:42 PM, Ken Hohhof wrote:
What is the rationale behind this rule in the first place?
Maybe because I originally come from the routing-in-hardware world, I
don’t even have connection tracking enabled on my network routers
(with the exception of some dedicated routers trying to be a poor
man’s Procera). I guess if I had customers sharing public IPs I would
have to.
My view is that border/core/tower routers only care about routes, this
packet is going to this destination IP so it goes out this interface
to this next hop. And some QoS marks. Not sure I want the network
routers worrying about stateful firewall rules and application
specific fixups and tracking every source/destination/IP/port combination.
*From:* Joshaven Mailing Lists <mailto:lis...@joshaven.com>
*Sent:* Monday, November 09, 2015 2:26 PM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] drop invalid state when asymmetric
You cannot have a connection that is indicated on one router continued
on another router without being invalid.
One magic trick is having the best routing information for network
egress. This way the device will pick the best path out and in to
your network.
Another magic trick would be to drop invalid connections on the input
chain but not forward chain of your edge router and drop invalid on
the forward chain on the router closest to your client. A good
connection would not be invalid on the customer touching router
because it would always transverse this router.
Sincerely,
Joshaven Potter
MTCNA, MTCRE, MTCWE, MTCTCE, UACA
Google Hangouts: yourt...@gmail.com <mailto:yourt...@gmail.com>
Cell & SMS: 1-517-607-9370
supp...@joshaven.com <mailto:supp...@joshaven.com>
On Nov 9, 2015, at 3:11 PM, That One Guy /sarcasm
<thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com>> wrote:
If I have some asymmetric routes on the network, and there is a drop
invalid state rule in the forward chain, is there any magician trick
to get around disabling this rule? (its considered invalid because
connection tracking is only seeing half the traffic)
fixing the assymetry is the long term solution, just curious about today
--
If you only see yourself as part of the team but you don't see your
team as part of yourself you have already failed as part of the team.