Re: sloppy states and dsr

2008-06-30 Thread Theo de Raadt
> * Ted Unangst <[EMAIL PROTECTED]> [2008-06-20 20:50]: > > One would only use sloppy state tracking on the load balancer, right? > > not necessarily only, but that would be the most common use I bet. > In general, you use it when you cannot avoid it, as in, the other > option is to not filter sta

Re: sloppy states and dsr

2008-06-30 Thread Henning Brauer
* Ted Unangst <[EMAIL PROTECTED]> [2008-06-20 20:50]: > One would only use sloppy state tracking on the load balancer, right? not necessarily only, but that would be the most common use I bet. In general, you use it when you cannot avoid it, as in, the other option is to not filter stateful at all

Re: sloppy states and dsr

2008-06-20 Thread Darrin Chandler
On Sat, Jun 21, 2008 at 09:12:22AM +0900, Ryan McBride wrote: > On Fri, Jun 20, 2008 at 12:49:43PM -0700, Darrin Chandler wrote: > > > Yes, you use sloppy state only on the host(s) seeing half of the trafic. > > > > So to say it even more plainly... anywhere you are forced to deal with > > asymetr

Re: sloppy states and dsr

2008-06-20 Thread Paul de Weerd
On Fri, Jun 20, 2008 at 02:47:18PM -0400, Ted Unangst wrote: | One would only use sloppy state tracking on the load balancer, right? | The firewall in front of everything still uses normal tracking? This is why the router should also be running pf/OpenBSD ;) Cheers, Paul 'WEiRD' de Weerd -- >+

Re: sloppy states and dsr

2008-06-20 Thread Ryan McBride
On Fri, Jun 20, 2008 at 12:49:43PM -0700, Darrin Chandler wrote: > > Yes, you use sloppy state only on the host(s) seeing half of the trafic. > > So to say it even more plainly... anywhere you are forced to deal with > asymetric routing you can use sloppy state in place of not having any > statefu

Re: sloppy states and dsr

2008-06-20 Thread Darrin Chandler
On Fri, Jun 20, 2008 at 08:58:36PM +0200, Pierre-Yves Ritschard wrote: > * Ted Unangst ([EMAIL PROTECTED]) wrote: > > One would only use sloppy state tracking on the load balancer, right? > > The firewall in front of everything still uses normal tracking? > > > > Yes, you use sloppy state only on

Re: sloppy states and dsr

2008-06-20 Thread Pierre-Yves Ritschard
* Ted Unangst ([EMAIL PROTECTED]) wrote: > One would only use sloppy state tracking on the load balancer, right? > The firewall in front of everything still uses normal tracking? > Yes, you use sloppy state only on the host(s) seeing half of the trafic.

sloppy states and dsr

2008-06-20 Thread Ted Unangst
One would only use sloppy state tracking on the load balancer, right? The firewall in front of everything still uses normal tracking?