Arguing against using public IP space

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
> From: "Joe Greco" <jgreco at ns.sol.net>

> And some products, say like FreeBSD (which forms the heart of things
> like pfSense, so let's not even begin to argue that it "isn't a
> firewall") can actually be configured to default either way.

By Owen's definition, it's not.

> So basically, while we would all prefer that firewalls default to deny,
> it probably isn't as important a distinction as this thread is making
> it out to be, because even a "default to deny" firewall fails when a
> naive admin makes a typo and allows all traffic from 0/0
> inadvertently. It's just a matter of statistical likelihood.
> 
> Or perhaps a better argument would be that routers really ought to
> default to deny. :-) I'd be fine with that, but I can hear the
> screaming already.

But you're missing an important point here, Joe: we're not talking about
default configuration... we're talking about *failure modes*, which are by
definition unpredictable.

All you can really do there is figure the probabilities... and the probability
is that a *router-based* firewall (which as you and I agree, is a helluva lot
of firewalls) will *be more likely* to fail into pass traffic mode than into
don't pass traffic mode.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]