Re: [AFMUG] drop invalid state when asymmetric

2015-11-09 Thread That One Guy /sarcasm
nt the network routers > worrying about stateful firewall rules and application specific fixups and > tracking every source/destination/IP/port combination. > > > *From:* Joshaven Mailing Lists <lis...@joshaven.com> > *Sent:* Monday, November 09, 2015 2:26 PM > *To:* af@af

Re: [AFMUG] drop invalid state when asymmetric

2015-11-09 Thread Adam Moffett
No. IMO, you don't need to drop invalid connections on your ISP network. Asymmetric paths across the internet are almost a given. It makes sense on a customer firewall where you might be blocking a spoofed connection. On 11/9/2015 3:11 PM, That One Guy /sarcasm wrote: If I have some

Re: [AFMUG] drop invalid state when asymmetric

2015-11-09 Thread Adam Moffett
o:* af@afmug.com <mailto:af@afmug.com> *Subject:* Re: [AFMUG] drop invalid state when asymmetric You cannot have a connection that is indicated on one router continued on another router without being invalid. One magic trick is having the best routing information for network egress. This wa

Re: [AFMUG] drop invalid state when asymmetric

2015-11-09 Thread That One Guy /sarcasm
makes sense, thank you On Mon, Nov 9, 2015 at 2:30 PM, Adam Moffett wrote: > No. > > IMO, you don't need to drop invalid connections on your ISP network. > Asymmetric paths across the internet are almost a given. It makes sense on > a customer firewall where you might be

[AFMUG] drop invalid state when asymmetric

2015-11-09 Thread That One Guy /sarcasm
If I have some asymmetric routes on the network, and there is a drop invalid state rule in the forward chain, is there any magician trick to get around disabling this rule? (its considered invalid because connection tracking is only seeing half the traffic) fixing the assymetry is the long term

Re: [AFMUG] drop invalid state when asymmetric

2015-11-09 Thread Joshaven Mailing Lists
You cannot have a connection that is indicated on one router continued on another router without being invalid. One magic trick is having the best routing information for network egress. This way the device will pick the best path out and in to your network. Another magic trick would be to

Re: [AFMUG] drop invalid state when asymmetric

2015-11-09 Thread Ken Hohhof
rules and application specific fixups and tracking every source/destination/IP/port combination. From: Joshaven Mailing Lists Sent: Monday, November 09, 2015 2:26 PM To: af@afmug.com Subject: Re: [AFMUG] drop invalid state when asymmetric You cannot have a connection that is indicated on one