On Dec 9, 2013, at 9:36 AM, Christoph Berthoud
a) I will be hiding behind a dedicated firewall appliance and not relying on the OS firewalls
https://app.box.com/s/a3oqqlgwe15j8svojvzl
Servers really should never be placed behind stateful firewalls - it doesn't actually do any good, it doesn't really make sense (all incoming connections are unsolicited, so there's no state to inspect), and renders them much more vulnerable to DDoS attacks than if the firewalls weren't there.
Network access policy should typically be expressed using stateless ACLs in hardware-based routers or layer-3 switches.
Same goes for NAT - I've seen horror story after horror story about NATted servers.
-----------------------------------------------------------------------
Roland Dobbins