> > does- but this has drawbacks too as I mentioned.... > Exactly.... That's the job of a firewall Can you explain these "drawbacks" of > using the firewall to do this....? > From a performance/security viewpoint it's a very bad idea to let this get > handled at application level. On Linux one has netfilter which does its job > and > does it good and is properly tested and can be enhanced using extra > modules.
Yes of course. The firewall does not know anything about the upper layer protocols and cannot filter based on a decision e.g. which Path is going tob e accessed or which virtual host. Which means we have to create different access locations for different user groups- this leads to a waste of IP adresses and a complication of the whole configuration. Of course I know that a firewall rule matching is way faster than a check on the application level but it can do less. E.g. you could also decide by IP range if a client is forced to use ssl or is redirected to another service or is forced to a backend which requires authentication and so on very easyly within an application level gateway. You are also able to show decent information tot he user why his/her access is not being granted right now. Performance of this checking is really no problem for us. We run a clustered pound setup with two virtual machines with each two virtual cpus. These are far away form being fully utilized let me say they could at least handle fifty times more users right now although they are doing ssl offloading and load balancing for around 10 portals with hundreds of users and although we already have a lots of rules with large regex sets within our configs. I don't see the point why a application level gateway like pound should NOT feature such ip based filtering rule. You are still able to decide yourself if you want to use it and i fit meets your requirements or not- if you need the additional performance- decide to do it with your firewall. Regards, Felix -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
