On Tuesday 23 August 2005 11:58 pm, eric wrote: > On Tue, 2005-08-23 at 16:53:25 -0600, Theo de Raadt proclaimed... > > > It is plain simple bad advice. And totally ridiculous. > > And plus, with ipv6, it's imperative that the filters be pushed down to the > end-host so we can quit relying on stupid firewalls and NAT bullshit to > break networks and slow progress. Itojun mentioned the fact that each host > should have a "firesuit" in the ipv6 world. It's quite good advice.
Well, lets not get ahead of ourselves here. Filtering at the network edge is "A Good Thing"(TM) when done correctly, it is NAT that is not necessarily a good thing. Filtering incoming (and possibly outgoing traffic) helps do several things, first it decreases the burden on your hosts. It also allows you a place to stop traffic that should never leave your network, for example, only your mail servers should be allowed to send traffic on port 25. I'm not saying that we should ignore host based firewalls, because that isn't the case, I'm just recommending that you not be so quick to dismiss the value of having a filter beyond the host.