What is the rationale behind this rule in the first place? Maybe because I originally come from the routing-in-hardware world, I don’t even have connection tracking enabled on my network routers (with the exception of some dedicated routers trying to be a poor man’s Procera). I guess if I had customers sharing public IPs I would have to.
My view is that border/core/tower routers only care about routes, this packet is going to this destination IP so it goes out this interface to this next hop. And some QoS marks. Not sure I want the network routers worrying about stateful firewall rules and application specific fixups and tracking every source/destination/IP/port combination. From: Joshaven Mailing Lists Sent: Monday, November 09, 2015 2:26 PM To: [email protected] Subject: Re: [AFMUG] drop invalid state when asymmetric You cannot have a connection that is indicated on one router continued on another router without being invalid. One magic trick is having the best routing information for network egress. This way the device will pick the best path out and in to your network. Another magic trick would be to drop invalid connections on the input chain but not forward chain of your edge router and drop invalid on the forward chain on the router closest to your client. A good connection would not be invalid on the customer touching router because it would always transverse this router. Sincerely, Joshaven Potter MTCNA, MTCRE, MTCWE, MTCTCE, UACA Google Hangouts: [email protected] Cell & SMS: 1-517-607-9370 [email protected] On Nov 9, 2015, at 3:11 PM, That One Guy /sarcasm <[email protected]> wrote: If I have some asymmetric routes on the network, and there is a drop invalid state rule in the forward chain, is there any magician trick to get around disabling this rule? (its considered invalid because connection tracking is only seeing half the traffic) fixing the assymetry is the long term solution, just curious about today -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
