> -----Original Message-----
> From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 5 December 2000 1:01
> To: Ben Nagy
> Cc: 'mouss'; [EMAIL PROTECTED]
> Subject: RE: Simple Pimple firewalls
[me]
> > It seems
> > to me that the Cisco reflexive ACLs and IPFilter are both
> good "simple"
> > stateful solutions that don't try too hard. I like 'em as front-line
> > solutions.
>
> I prefer good old extended access lists out front, but then I
> expect my
> border routers to be spending a lot of CPU on BGP and not to
> have to keep
> anything more in memory than basic filter rules. Do
> reflexive ACLs go to
> the VIP cards or use the main router CPU? Can you limit the
> state table's
> size?
Both good points. I agree that I wouldn't have a BGP router doing anything
that could chew up not-well-defined amounts of RAM. According to the docco
all you can really do to mitigate the RAM problem is set more aggressive
timeouts, which is probably not enough.
[...]
> > No way. The static filtering in the IOS is the most mature
> simple packet
> > filter around. The reflexive ACLs (which ARE part of the
> basic IOS and ARE
> > stateful - sorry Paul) are, in my opinion, just as good.
> IPFilter / IPfw
>
> I've touched a grand total of once production router in the
> last 6 months
> and helped someone else out with two more, and none of them have had
> reflexive access lists on them- is it included in a base IOS
> that people
> are running in production, or is it "bleeding edge?"
Introduced in 11.3 according to CCO. Maybe you're still on the old (and
stable) 11.2P series? Probably a good plan, btw.
[..]
> It's not moot in that IPFilter doesn't run on Linux on any
> reasonably new
> kernel (2.0.30 was the last if I recall correctly- that rules
> out 2.2 and
> 2.4 kernels *and* that was an old version of IPFilter that I wouldn't
> recommend running in a production environment.)
Ahhh, OK. I was obviously only half informed and shooting my mouth off
(nothing new).
So does ipfw do Linux? I know it's stateful but I haven't heard much about
it in terms of good/bad...
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
