-------- Original message -------- From: Yi Sun <beyo...@gmail.com> Date: To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Neutron] DVR SNAT shortcut Yi wrote: +1, I had another email to discuss about FW (FWaaS) and DVR integration. Traditionally, we run firewall with router so that firewall can use route and NAT info from router. since DVR is asymmetric when handling traffic, it is hard to run stateful firewall on top of DVR just like a traditional firewall does . When the NAT is in the picture, the situation can be even worse. Yi Don't forget logging either. In any security concious environment , particularly any place with legal/regulatory/contractual audit requirements a firewall that doesn't keep full logs of all dropped and passed sessions is worthless. Stateless packet dropping doesn't help at all when conducting forensics on an attack that is already known to have occured.
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
