I totally agree with Felix!
2013/8/15 Felix Zachlod <[email protected]> > > > does- but this has drawbacks too as I mentioned.... > > Exactly.... That's the job of a firewall Can you explain these > "drawbacks" of > > using the firewall to do this....? > > From a performance/security viewpoint it's a very bad idea to let this > get > > handled at application level. On Linux one has netfilter which does its > job and > > does it good and is properly tested and can be enhanced using extra > > modules. > > Yes of course. The firewall does not know anything about the upper layer > protocols and cannot filter based on a decision e.g. which Path is going > tob e accessed or which virtual host. Which means we have to create > different access locations for different user groups- this leads to a waste > of IP adresses and a complication of the whole configuration. Of course I > know that a firewall rule matching is way faster than a check on the > application level but it can do less. E.g. you could also decide by IP > range if a client is forced to use ssl or is redirected to another service > or is forced to a backend which requires authentication and so on very > easyly within an application level gateway. You are also able to show > decent information tot he user why his/her access is not being granted > right now. Performance of this checking is really no problem for us. We run > a clustered pound setup with two virtual machines with each two virtual > cpus. These are far away form being fully utilized let me say they could at > least handle fifty times more users right now although they are doing ssl > offloading and load balancing for around 10 portals with hundreds of users > and although we already have a lots of rules with large regex sets within > our configs. > > I don't see the point why a application level gateway like pound should > NOT feature such ip based filtering rule. You are still able to decide > yourself if you want to use it and i fit meets your requirements or not- if > you need the additional performance- decide to do it with your firewall. > > Regards, Felix > > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. > -- Load balancer distribution - Open Source Project http://www.zenloadbalancer.com Distribution list (subscribe): [email protected]
