Firewall Wizards mailing list archives
Re: Firewall rules order and performance
From: K K <kkadow () gmail com>
Date: Wed, 29 Jul 2009 09:36:07 -0500
A good example of this is the BIND9 bug released yesterday. A very good firewall has a DNS proxy and denies malformed packets, or can be set to filter out 'nsupdate' type packets. Even "iptables" can be set to drop these packets, with a one-line rule change. On 7/28/09, K K <kkadow () gmail com> wrote:
Only if your "firewall" is a lowly stateful inspection packet filter, and is not deeply aware of the higher level protocols... The idea behind "deep inspection" and protocol validating proxy firewalls was in part to filter out attacks before they reach vulnerable servers/clients. They do make the attacker's job more difficult. KK On 7/28/09, Eric Gearhart <eric () nixwizard net> wrote:On Mon, Jul 27, 2009 at 1:21 AM, Jean-Denis Gorin<jdgorin () computer org> wrote:Who remember that firewalls (as application gateways) was designed to solve (or to ease a lot) the patch management problem? Now, we are back to patch management as the solution for all problems because dumb people (managers, marketers, buyers, system admins, network admins, developers, or whatever fit your situation) are unable (or unwilling) to understand what is a firewall, and what is it due for...Part of the problem with your argument is that in order for e,g, a web server to be reached, port 80 (and maybe port 443) have to be allowed through the firewall. That fact alone means that the webservers have to be patched, because as long as the firewall is allowing legitimate traffic through, it could also be allowing malicious traffic through... -- Eric http://nixwizard.net _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards-- Sent from my mobile device
-- Sent from my mobile device _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall rules order and performance, (continued)
- Re: Firewall rules order and performance Carson Gaspar (Jul 21)
- Re: Firewall rules order and performance david (Jul 21)
- Re: Firewall rules order and performance lordchariot (Jul 21)
- Re: Firewall rules order and performance Marcus J. Ranum (Jul 23)
- Re: Firewall rules order and performance Jean-Denis Gorin (Jul 28)
- Re: Firewall rules order and performance Eric Gearhart (Jul 28)
- Message not available
- Re: Firewall rules order and performance Eric Gearhart (Jul 29)
- Re: Firewall rules order and performance Marcus J. Ranum (Jul 30)
- Re: Firewall rules order and performance Marcus J. Ranum (Jul 23)
- Re: Firewall rules order and performance Behm, Jeff (Jul 30)
- Re: Firewall rules order and performance K K (Jul 30)
- Re: Firewall rules order and performance K K (Jul 30)