I'm looking for recommendations for network load balancers. These, at this time, will primarily be used to attach to a cluster of webservers although I would like a solution which can be repurposed to other applications later. I am looking at F5's Big IP, Cisco's SLB, and Foundry's ServerIron at this time.
We have Cisco 11503s and F5 Big IPs in our network. I bought the Big IPs because I was getting rather fed up with the Cisco stuff. Each has their quirks but I think I prefer the F5, especially for box-to-box redundancy. That's really rough with the Cisco gear unless you want to fork out a lot of cash for their ridiculously expensive ethernet modules so you can get a direct box-to-box connection. If you have load-balanced servers behind an F5 that also must be available for direct connection, then the F5 is a huge pain, while that is extremely simple with the Cisco gear. Other than that, I think I the F5 is a better product and easier to manage once you get used to how it works. If you've previously used the Cisco gear, you have to unlearn a few concepts and terms in order to make sense of the F5 world. Regards, John --
We've used Foundry ServerIron's successfully in various configurations for the last four years. Keith Keith Washington The Weather Channel Interactive, TWCi 770-226-2685 office, 404-225-0221 pager keithw.pager@1weather.com text page "John Neiberger" <John.Neiberger@efir To: <nanog@merit.edu> stbank.com> cc: Sent by: Subject: Re: NLB Recommendations owner-nanog@merit.ed u 06/09/2004 01:57 PM
I'm looking for recommendations for network load balancers. These, at this time, will primarily be used to attach to a cluster of webservers although I would like a solution which can be repurposed to other applications later. I am looking at F5's Big IP, Cisco's SLB, and Foundry's ServerIron at this time.
We have Cisco 11503s and F5 Big IPs in our network. I bought the Big IPs because I was getting rather fed up with the Cisco stuff. Each has their quirks but I think I prefer the F5, especially for box-to-box redundancy. That's really rough with the Cisco gear unless you want to fork out a lot of cash for their ridiculously expensive ethernet modules so you can get a direct box-to-box connection. If you have load-balanced servers behind an F5 that also must be available for direct connection, then the F5 is a huge pain, while that is extremely simple with the Cisco gear. Other than that, I think I the F5 is a better product and easier to manage once you get used to how it works. If you've previously used the Cisco gear, you have to unlearn a few concepts and terms in order to make sense of the F5 world. Regards, John --
Hello, I would like to hear from Charter Communication's network/security team why they have filtered outbound port 25 without any notice as of yesterday. Does anybody else know of other cable/DSL providers that simply block outbound port 25? thanks arman
I wish Comcast and Verizon would block port 25. You can easily get-around the block by tunneling to a remote server. -- Matthew ----- Original Message ----- From: "Arman" <arman@unitedlayer.com> To: <nanog@merit.edu> Sent: Wednesday, June 09, 2004 9:03 PM Subject: Charter blocking Port 25
I would like to hear from Charter Communication's network/security team why they have filtered outbound port 25 without any notice as of yesterday.
Does anybody else know of other cable/DSL providers that simply block outbound port 25?
Or, just move your mail/SMTP port to 587 and you'll be fine. DJ Matthew McGehrin wrote:
I wish Comcast and Verizon would block port 25.
You can easily get-around the block by tunneling to a remote server.
-- Matthew
----- Original Message ----- From: "Arman" <arman@unitedlayer.com> To: <nanog@merit.edu> Sent: Wednesday, June 09, 2004 9:03 PM Subject: Charter blocking Port 25
I would like to hear from Charter Communication's network/security team why they have filtered outbound port 25 without any notice as of
yesterday.
Does anybody else know of other cable/DSL providers that simply block outbound port 25?
Cox does, and Adelphia is moving that way. Good job, Charter. At 07:03 PM 6/9/2004, Arman wrote:
Hello,
I would like to hear from Charter Communication's network/security team why they have filtered outbound port 25 without any notice as of yesterday.
Does anybody else know of other cable/DSL providers that simply block outbound port 25?
thanks arman
W. Mark Herrick, Jr. Director - Data and Network Security Adelphia Communications 5619 DTC Parkway Greenwood Village, CO 80111 (O) 303-268-6440 (C) 720-252-5929 (F) 303-268-6382
Cox also filters your e-mail on their SMTP server such that if it contains both words "root" and "password" it will get silently dropped. This is why I'm using an alternate port to bypass their SMTP server (or you wouldn't get this e-mail). Grisha On Wed, 9 Jun 2004, W. Mark Herrick, Jr. wrote:
Cox does, and Adelphia is moving that way.
Good job, Charter.
At 07:03 PM 6/9/2004, Arman wrote:
Hello,
I would like to hear from Charter Communication's network/security team why they have filtered outbound port 25 without any notice as of yesterday.
Does anybody else know of other cable/DSL providers that simply block outbound port 25?
thanks arman
W. Mark Herrick, Jr. Director - Data and Network Security Adelphia Communications 5619 DTC Parkway Greenwood Village, CO 80111 (O) 303-268-6440 (C) 720-252-5929 (F) 303-268-6382
on 6/9/04 9:10 PM, Gregory (Grisha) Trubetskoy at grisha@ispol.com wrote:
Cox also filters your e-mail on their SMTP server such that if it contains both words "root" and "password" it will get silently dropped. This is why I'm using an alternate port to bypass their SMTP server (or you wouldn't get this e-mail).
I find it hard to believe that Cox has secretly implemented a policy of dropping all outgoing mail that contains the phrase "root password." In fact, I just sent this e-mail to the NANOG mailing list via the Cox SMTP server smtp.west.cox.net, so if they have implemented such a policy, they haven't implemented it on all of their servers. -Richard
I just tested it and it looks like it isn't happening anymore. But it definitely was (smtp.east.cox.net), and made me look like an idiot in one situation where I was convinced the recepient's filter is dropping my e-mail. If you google usenet for "cox root password" you'll see other people describing it. To be fair, this was more likely a fluke and Cox isn't to blame since they are just trying to do their best to deal with spam... My message was meant more as a general warning to people, not an anti-Cox thing of any kind, my cable modem has been very stable lately and throughput is excellent :-) Grisha On Wed, 9 Jun 2004, Richard Parker wrote:
on 6/9/04 9:10 PM, Gregory (Grisha) Trubetskoy at grisha@ispol.com wrote:
Cox also filters your e-mail on their SMTP server such that if it contains both words "root" and "password" it will get silently dropped. This is why I'm using an alternate port to bypass their SMTP server (or you wouldn't get this e-mail).
I find it hard to believe that Cox has secretly implemented a policy of dropping all outgoing mail that contains the phrase "root password." In fact, I just sent this e-mail to the NANOG mailing list via the Cox SMTP server smtp.west.cox.net, so if they have implemented such a policy, they haven't implemented it on all of their servers.
-Richard
On 06/09/04, Arman <arman@unitedlayer.com> wrote:
Does anybody else know of other cable/DSL providers that simply block outbound port 25?
Many of 'em do. If your contract says you can run servers on your connection, then you should call and complain. On the other hand, if Charter prohibits running servers on your connection...well, you get what you pay for. Either way, this is one of those issues where everyone has an opinion and they've all been stated before. -- J.D. Falk "be crazy dumbsaint of the mind" <jdfalk@cybernothing.org> -- Jack Kerouac
But this is different - I'm not running a mail server -on- my Cox connection. I'm running one external to Cox but I can't connect to port 25 on it. In reality this isn't a problem for me but it is for those who don't know how to configure their mail readers for a different outbound port. On Jun 9, 2004, at 7:06 PM, J.D. Falk wrote:
On 06/09/04, Arman <arman@unitedlayer.com> wrote:
Does anybody else know of other cable/DSL providers that simply block outbound port 25?
Many of 'em do. If your contract says you can run servers on your connection, then you should call and complain.
On the other hand, if Charter prohibits running servers on your connection...well, you get what you pay for.
Either way, this is one of those issues where everyone has an opinion and they've all been stated before.
-- J.D. Falk "be crazy dumbsaint of the mind" <jdfalk@cybernothing.org> -- Jack Kerouac
-- matthew zeier - "Nothing in life is to be feared. It is only to be understood." - Marie Curie
--On Wednesday, June 9, 2004 8:03 PM -0700 matthew zeier <mrz@velvet.org> wrote:
In reality this isn't a problem for me but it is for those who don't know how to configure their mail readers for a different outbound port.
A common counter argument is that those are the people who probably shouldn't have unfettered port 25 access. However, I think this is time for my "spam-l is two folders over" comment
On Wed, 9 Jun 2004, matthew zeier wrote: : But this is different - I'm not running a mail server -on- my Cox : connection. I'm running one external to Cox but I can't connect to : port 25 on it. That's why port 587 was invented. It's the MSA (mail *submission* agent) port, intended only for initial injection of mail into the SMTP delivery network. Learn it, believe it, use it. 8-) -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
On Thu, 2004-06-10 at 16:28, Todd Vierling wrote:
On Wed, 9 Jun 2004, matthew zeier wrote:
: But this is different - I'm not running a mail server -on- my Cox : connection. I'm running one external to Cox but I can't connect to : port 25 on it.
That's why port 587 was invented. It's the MSA (mail *submission* agent) port, intended only for initial injection of mail into the SMTP delivery network. Learn it, believe it, use it. 8-)
Mail *SPAM* Agent? ;) when spammers also start probing for that port... A site that has a bad port 25 policy also will likely also have a bad MSA policy. MSA's can also be open relays just like standard port 25. Splitting submission from transfer seems like a good idea though, but in the light of good MTA's, so that the MSA don't need to add a handfull of headers and also SMTP-AUTH and TLS it doesn't make much difference. Requiring *Authentication*, may that be on 25 or 587, is the way to go here... but then still that 'neighbor' will have a misconfig and spam straight away. Not even talking about the bots. Greets, Jeroen
On Thu, 10 Jun 2004, Jeroen Massar wrote: : > That's why port 587 was invented. It's the MSA (mail *submission* agent) : > port, intended only for initial injection of mail into the SMTP delivery : > network. Learn it, believe it, use it. 8-) : : Mail *SPAM* Agent? ;) Port 587 should always be authenticated. If it isn't, that's a misconfiguration. (Of course, those of us on SPAM-L have even seen bots successfully perform SMTP AUTH, but that's certainly in the minority. Port-25 blocking for dynamic/residential ranges is still considered good form, as it does cut down significantly on the level of unauthenticated wormspew.) -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
Well this could explain the large drop in SPAM loads seen by a lot of us (atleast in part).
We block outgoing port 25 for dynamic address users. It's strict policy. br -- Konstantin Barinov INFONET AS http://infonet.ee Thursday, June 10, 2004, 4:03:12 AM, you wrote: A> Hello, A> I would like to hear from Charter Communication's network/security team A> why they have filtered outbound port 25 without any notice as of yesterday. A> Does anybody else know of other cable/DSL providers that simply block A> outbound port 25? A> thanks A> arman
participants (16)
-
Arman -
Deepak Jain -
Gregory (Grisha) Trubetskoy -
Henning Brauer -
J.D. Falk -
Jeroen Massar -
John Neiberger -
John Payne -
Keith Washington -
Konstantin Barinov -
Matthew McGehrin -
matthew zeier -
Michael Loftis -
Richard Parker -
Todd Vierling -
W. Mark Herrick, Jr.