Date: Mon, 26 Feb 1996 20:14:31 -0600 (CST) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: nate@sri.MT.net (Nate Williams) Cc: jgreco@brasil.moneng.mei.com, nate@sri.MT.net, phk@critter.tfs.com, stable@freebsd.org, current@freebsd.org Subject: Re: -stable hangs at boot (fwd) Message-ID: <199602270214.UAA16377@brasil.moneng.mei.com> In-Reply-To: <199602262204.PAA01109@rocky.sri.MT.net> from "Nate Williams" at Feb 26, 96 03:04:06 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> It's more work. But, in retrospect I could have solved the problem with > the time I spent answering email. :) Isn't that always the case though :-) > > I think we agree, but you are "solving" the problem by breaking the tool. > > We aren't breaking anything. The tool simply blocks packets based on > what you want it to do. If you want it to block *all* packets, then > tell it to. I don't want it to do anything unless I tell it to. That's > the purpose of the tool. I want the tool to enforce my policies. As a firewall, I interpret the purpose of the tool as being a policy enforcement tool. One of them is that I want to prevent ANY "bad packets" from entering my networks. That policy cannot be enforced by an IPFW implementation that periodically chooses to allow all packets through just because somebody flushed all the rules while reloading them. That policy CAN be enforced by an IPFW implementation that periodically chooses to allow NO packets through. Since the basic purpose of IPFW is to provide a tool to enforce policies, I submit that an implementation that knowingly and by design allows policies to be violated is inherently flawed and dangerous, even if the policy violations are only momentary at best. This is the way you would have the implementation work. The way I would like it implemented, this would not be a problem. > > I've never seen a firewall product that is open by default. That is an > > oxymoron. > > A firewall is *always* open by default. You determine what it is to > firewall against. All of them haven't told me how to make policy, or > force me to 'revert' behavior. Firewalls don't make policy, they > enforce policy. I disagree with that analysis of a firewall, but that is semantics, and irrelevant to this discussion. You can build your house from the ground up and wind up with your dream house. You can start with a prefab house and remodel it and wind up with your dream house. I think we agree that either method yields the desired "dream house". However, my point is that when you start from the ground up, you have to worry about the rain getting in the unfinished house and ruining the structure... you just don't have those sorts of problems when you're just remodeling. :-) THAT is what _I_ am trying to argue! Good night, ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602270214.UAA16377>