On Mon, Aug 12, 2002 at 03:27:35PM -0700, Chris Willis wrote: > I did not want to discuss the particular application, as it was developed > by an outside vendor for us to use. It is a confidential app. It would have be nice if you had mentioned this initially. Perhaps the application itself could be modified.
> Besides, the application is not of consequence. Actually it sort of is. Seeing as you're making suggestions to modify the behavior of a low level packet filter in order to ensure that the application performs correctly. > The logistical problems don't seem that big of a deal. If the server > records that 192.168.100.100 sends out tcp 5000 packets to 20.20.20.20, > then it should have no problem knowing that udp 4900-1 should go back to > 192.168.100.100. Heck, it probably isn't even much extra code. You might want to actually look at the code before making such statements. Or perhaps you can do it yourself since it isn't even much extra code. > putting words into my email that I never typed. Actually, the mod that I > proposed would be great with the majority of IM and P2P clients out > there, wouldn't it? No it wouldn't. What are you talking about? > And finally, you say that sysadmins would ruin rulesets? Why are you so > intent on treating people like children? You should operate on the > assumption that people are perfectly capable of writing a good ruleset. > When you operate on the assumption that people are incompetent, you just > come off as very arrogant. I certainly don't enjoy dealing with arrogant > people. Well, the admins who would potentially use this proposed feature, yes. It would not take a lot of effort to trick the firewall into exposing the ports. People aren't perfectly capable of writing a good ruleset. This is evident from the amount of traffic on the mailing lists asking for assistance in creating rudimentary rule sets.
