High throughput bgp links using gentoo + stipped kernel

Phil Fagan philfagan at gmail.com
Mon May 20 23:08:18 UTC 2013


Just curious and perhaps off topic a tad but; is the stateful filtering of
sessions on a router to replace a firewall? Or is there another reason to
do it? I could see a benefit of creating blacklists, however,
I'm struggling with what other benefits it would provide...service
aware load-balancing? I'm very interested to learn what other strategies
and or design considerations would be made with thinking of using filtering
on a router.

I'm perfectly willing to accept consolidation of services :-)


On Mon, May 20, 2013 at 3:45 PM, Matt Palmer <mpalmer at hezmatt.org> wrote:

> On Sun, May 19, 2013 at 04:42:23PM -0700, Seth Mattinen wrote:
> > On 5/19/13 4:27 PM, Ben wrote:
> > > Do you actually need stateful filtering?  A lot of people seem to think
> > > that it's important, when really they're accomplishing little from it,
> > > you can block ports etc without it.
> >
> > I believe PCI compliance requires it, other things like it probably do
> too.
>
> There'd be very few PCI compliant sites if PCI required stateful
> firewalling
> in core routers.
>
> - Matt
>
>
>


-- 
Phil Fagan
Denver, CO
970-480-7618


More information about the NANOG mailing list