Re: sloppy states and dsr

2008-07-01 Thread Theo de Raadt
* Ted Unangst [EMAIL PROTECTED] [2008-06-20 20:50]: One would only use sloppy state tracking on the load balancer, right? not necessarily only, but that would be the most common use I bet. In general, you use it when you cannot avoid it, as in, the other option is to not filter stateful at

Re: sloppy states and dsr

2008-06-30 Thread Henning Brauer
* Ted Unangst [EMAIL PROTECTED] [2008-06-20 20:50]: One would only use sloppy state tracking on the load balancer, right? not necessarily only, but that would be the most common use I bet. In general, you use it when you cannot avoid it, as in, the other option is to not filter stateful at all

sloppy states and dsr

2008-06-20 Thread Ted Unangst
One would only use sloppy state tracking on the load balancer, right? The firewall in front of everything still uses normal tracking?

Re: sloppy states and dsr

2008-06-20 Thread Pierre-Yves Ritschard
* Ted Unangst ([EMAIL PROTECTED]) wrote: One would only use sloppy state tracking on the load balancer, right? The firewall in front of everything still uses normal tracking? Yes, you use sloppy state only on the host(s) seeing half of the trafic.

Re: sloppy states and dsr

2008-06-20 Thread Darrin Chandler
On Fri, Jun 20, 2008 at 08:58:36PM +0200, Pierre-Yves Ritschard wrote: * Ted Unangst ([EMAIL PROTECTED]) wrote: One would only use sloppy state tracking on the load balancer, right? The firewall in front of everything still uses normal tracking? Yes, you use sloppy state only on the

Re: sloppy states and dsr

2008-06-20 Thread Ryan McBride
On Fri, Jun 20, 2008 at 12:49:43PM -0700, Darrin Chandler wrote: Yes, you use sloppy state only on the host(s) seeing half of the trafic. So to say it even more plainly... anywhere you are forced to deal with asymetric routing you can use sloppy state in place of not having any stateful

Re: sloppy states and dsr

2008-06-20 Thread Paul de Weerd
On Fri, Jun 20, 2008 at 02:47:18PM -0400, Ted Unangst wrote: | One would only use sloppy state tracking on the load balancer, right? | The firewall in front of everything still uses normal tracking? This is why the router should also be running pf/OpenBSD ;) Cheers, Paul 'WEiRD' de Weerd --

Re: sloppy states and dsr

2008-06-20 Thread Darrin Chandler
On Sat, Jun 21, 2008 at 09:12:22AM +0900, Ryan McBride wrote: On Fri, Jun 20, 2008 at 12:49:43PM -0700, Darrin Chandler wrote: Yes, you use sloppy state only on the host(s) seeing half of the trafic. So to say it even more plainly... anywhere you are forced to deal with asymetric