nt the network routers
> worrying about stateful firewall rules and application specific fixups and
> tracking every source/destination/IP/port combination.
>
>
> *From:* Joshaven Mailing Lists <lis...@joshaven.com>
> *Sent:* Monday, November 09, 2015 2:26 PM
> *To:* af@af
No.
IMO, you don't need to drop invalid connections on your ISP network.
Asymmetric paths across the internet are almost a given. It makes sense
on a customer firewall where you might be blocking a spoofed connection.
On 11/9/2015 3:11 PM, That One Guy /sarcasm wrote:
If I have some
o:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] drop invalid state when asymmetric
You cannot have a connection that is indicated on one router continued
on another router without being invalid.
One magic trick is having the best routing information for network
egress. This wa
makes sense, thank you
On Mon, Nov 9, 2015 at 2:30 PM, Adam Moffett wrote:
> No.
>
> IMO, you don't need to drop invalid connections on your ISP network.
> Asymmetric paths across the internet are almost a given. It makes sense on
> a customer firewall where you might be
If I have some asymmetric routes on the network, and there is a drop
invalid state rule in the forward chain, is there any magician trick to get
around disabling this rule? (its considered invalid because connection
tracking is only seeing half the traffic)
fixing the assymetry is the long term
You cannot have a connection that is indicated on one router continued on
another router without being invalid.
One magic trick is having the best routing information for network egress.
This way the device will pick the best path out and in to your network.
Another magic trick would be to
rules and application specific fixups and tracking every
source/destination/IP/port combination.
From: Joshaven Mailing Lists
Sent: Monday, November 09, 2015 2:26 PM
To: af@afmug.com
Subject: Re: [AFMUG] drop invalid state when asymmetric
You cannot have a connection that is indicated on one