On Wed, Aug 24, 2005 at 09:15:48AM -0400, Timothy Donahue wrote: > On Tuesday 23 August 2005 11:58 pm, eric wrote: > > On Tue, 2005-08-23 at 16:53:25 -0600, Theo de Raadt proclaimed... > > > > > It is plain simple bad advice. And totally ridiculous. > > > > And plus, with ipv6, it's imperative that the filters be pushed down to the > > end-host so we can quit relying on stupid firewalls and NAT bullshit to > > break networks and slow progress. Itojun mentioned the fact that each host > > should have a "firesuit" in the ipv6 world. It's quite good advice. > > Well, lets not get ahead of ourselves here. Filtering at the network edge is > "A Good Thing"(TM) when done correctly, it is NAT that is not necessarily a > good thing. Speaking as a network guy NAT is "A Good Thing" granted it breaks some outdated notion of end to end commo. But if more people payed strict attention to the OSI model that would not matter. Simply put if an application puts a IP addy someplace my NAT box can't touch it the application is broken. And in today's world anything that puts one more layer between my network and the net is good. Other than that I agree with everything else you've said. Filtering incoming (and possibly outgoing traffic) helps do > several things, first it decreases the burden on your hosts. It also allows > you a place to stop traffic that should never leave your network, for > example, only your mail servers should be allowed to send traffic on port 25. > > I'm not saying that we should ignore host based firewalls, because that isn't > the case, I'm just recommending that you not be so quick to dismiss the value > of having a filter beyond the host. >
-- BOFH excuse #381: Robotic tape changer mistook operator's tie for a backup tape.
