Arguing against using public IP space
Jay Ashworth
jra at baylink.com
Tue Nov 15 21:19:29 UTC 2011
----- Original Message -----
> From: "Joe Greco" <jgreco at ns.sol.net>
> And some products, say like FreeBSD (which forms the heart of things
> like pfSense, so let's not even begin to argue that it "isn't a
> firewall") can actually be configured to default either way.
By Owen's definition, it's not.
> So basically, while we would all prefer that firewalls default to deny,
> it probably isn't as important a distinction as this thread is making
> it out to be, because even a "default to deny" firewall fails when a
> naive admin makes a typo and allows all traffic from 0/0
> inadvertently. It's just a matter of statistical likelihood.
>
> Or perhaps a better argument would be that routers really ought to
> default to deny. :-) I'd be fine with that, but I can hear the
> screaming already.
But you're missing an important point here, Joe: we're not talking about
default configuration... we're talking about *failure modes*, which are by
definition unpredictable.
All you can really do there is figure the probabilities... and the probability
is that a *router-based* firewall (which as you and I agree, is a helluva lot
of firewalls) will *be more likely* to fail into pass traffic mode than into
don't pass traffic mode.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
More information about the NANOG
mailing list