State of the Firewall

Keywords: #firewall

Or the stateful-firewall. Interesting little thing to get bit by. But to understand it at all I have to go into a little bit of explanation. We use LVS in what’s known as a Direct Routing (LVS/DR) configuration. We have a (large) number of VIP’s that the load balancers handle. The VIP’s are not on any subnet but are rather routed to the load balancers via OSPF.

This makes for a REALLY confused stateful firewall when connections originate on the same subnet as the real machines handling the VIPs because they respond directly to the source, bypassing the firewall. The source replies back up through the firewall, or atleast tries to. A good stateful firewall will block this. The Juniper M7i ASM does exactly this.

End result. Vacation auto-responders “sort of” stopped working from one of our mail back ends. By “sort of” I mean it wouldn’t get into any local domains. Honestly…I don’t care. I *HATE* the damned things. Scourge of the internet. Or one of them anyway.