Requirements for IPv6 Firewalls

Łukasz Bromirski lukasz at
Sat Apr 19 18:44:14 UTC 2014

On 19 Apr 2014, at 20:08, George William Herbert <george.herbert at> wrote:

> On Apr 18, 2014, at 9:10 PM, "Dobbins, Roland" <rdobbins at> wrote:
>> You can 'call' it all you like - but people who actually want to keep their servers up and running don't put stateful firewalls in front of them,
> I don't know where you find ideas like this.

From real world.

> There are stateful firewalls in the security packages in front of all the internet facing servers in all the major service providers I've worked at.  Not *just* stateful firewalls, but they're in there.

There’s no sense in putting stateful firewall in front of DNS server,
unless the DNS server is underperforming, and then it should be
exchanged and not protected by stateful firewall.

You can try to protect mail/WWW servers with stateful firewalls, but
it often achieves nothing but makes the firewalls weakest link in
the setup. And tuning it to perform reasonably well in normal and
peak traffic is usually not achievable.

In case of DDoS attack, the stateful firewall goes out first. I’ve
seen them burn too. To protect high-performance services, you do
stateless filtering + NetFlow based QoS policies, or shunt to
dedicated DDoS filtering boxes.

Adding state where it’s not needed, is sign of bad design. And just
because a lot of people do that, doesn’t make it any better.

"There's no sense in being precise when |               Łukasz Bromirski
 you don't know what you're talking     |      jid:lbromirski at
 about."               John von Neumann |

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the NANOG mailing list