Its in the script Right now visibility and eliminating traffic nobody needs is the primary reason for any forward rules.
On Mon, Nov 9, 2015 at 2:45 PM, Adam Moffett <[email protected]> wrote: > Sometimes Ken I think you are reading my mind. > > On 11/9/2015 3:42 PM, Ken Hohhof wrote: > > What is the rationale behind this rule in the first place? > > Maybe because I originally come from the routing-in-hardware world, I > don’t even have connection tracking enabled on my network routers (with the > exception of some dedicated routers trying to be a poor man’s Procera). I > guess if I had customers sharing public IPs I would have to. > > My view is that border/core/tower routers only care about routes, this > packet is going to this destination IP so it goes out this interface to > this next hop. And some QoS marks. Not sure I want the network routers > worrying about stateful firewall rules and application specific fixups and > tracking every source/destination/IP/port combination. > > > *From:* Joshaven Mailing Lists <[email protected]> > *Sent:* Monday, November 09, 2015 2:26 PM > *To:* [email protected] > *Subject:* Re: [AFMUG] drop invalid state when asymmetric > > You cannot have a connection that is indicated on one router continued on > another router without being invalid. > > One magic trick is having the best routing information for network > egress. This way the device will pick the best path out and in to your > network. > > Another magic trick would be to drop invalid connections on the input > chain but not forward chain of your edge router and drop invalid on the > forward chain on the router closest to your client. A good connection > would not be invalid on the customer touching router because it would > always transverse this router. > > > > Sincerely, > Joshaven Potter > MTCNA, MTCRE, MTCWE, MTCTCE, UACA > Google Hangouts: [email protected] > Cell & SMS: 1-517-607-9370 > [email protected] > > > > > On Nov 9, 2015, at 3:11 PM, That One Guy /sarcasm < > [email protected]> wrote: > > If I have some asymmetric routes on the network, and there is a drop > invalid state rule in the forward chain, is there any magician trick to get > around disabling this rule? (its considered invalid because connection > tracking is only seeing half the traffic) > > fixing the assymetry is the long term solution, just curious about today > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. > > > > > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
