Frank Cusack <[email protected]> writes: > On Tue, Sep 25, 2012 at 2:08 PM, Russ Allbery <[email protected]> wrote:
>> We were quite concerned when we first looked at putting Kerberos KDCs >> behind a hardware firewall because of that session limit. Our firewalls >> have a 100,000 UDP session limit and a fairly quick timeout. > Ideally you just disable the concept of a UDP "session" altogether. For > kerberos traffic I can't imagine a benefit to maintaining sessions > unless you need address translation. Agreed, but apparently at least some firewalls don't make this configurable. I was told that, with the ones we were using, they always create sessions and there isn't any way to avoid it. All you can do is time them out faster. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
