Dynamic routing through firewall

Dobbins, Roland rdobbins at arbor.net
Thu Nov 21 00:44:13 UTC 2013

On Nov 21, 2013, at 4:21 AM, Cliff Bowles <cliff.bowles at apollogrp.edu> wrote:

> Finally, if you tried one of the options and it was terrible, please explain.

They're all terrible, heh.

Get the firewalls out of the picture:


Stateful firewalls should not be placed in front of servers, and should not be interposed between eBGP peers.  Whatever access policies are necessary should be expressed in stateless ACLs, as there's no point in putting a stateful inspection device in front of a server which receives unsolicited communications, and many reasons for not doing so.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the NANOG mailing list