On Tue, Apr 24, 2012 at 4:54 AM, Stefan Baur <newsgroups.ma...@stefanbaur.de > wrote:
> Am 24.04.2012 10:50, schrieb Gerald A: > > Uh, don't get me wrong, I'm all for timely updates that fix security > issues. I just don't want to drag fancy stuff along that I don't need. > And at present, that's what full IPv6 support is for me. I respectfully disagree. I think that you can turn off IPv6 support, which is better then an older firewall we ran across, where "no support" for IPv6 meant it transparently passed those packets through the firewall. > My suggestion is that you have a couple of boxes to do this -- you don't >> > need anything too fancy or expensive for the second box -- and then you >> can simply upgrade the second one, swap them to see if there are issues >> and quickly swap back if there are any, and when you get your "warm >> fuzzy" feeling, upgrade the original. >> > > This works fine when you're on-site to pull the plug on a misbehaving > system, but not with remote locations where your only access is through the > firewall that you're updating. > My advice was aimed at a low-cost deployment, but if it's that remote, you might want to consider either a pair of redundant firewalls, or something like CF (not sure if SD cards are supported) based firewalls, where you can have non-technical personnel swap the cards. Our failover has saved us a couple of times now, and it makes upgrading very easy.
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
