nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Arguing against using public IP space

From: Jay Ashworth <jra () baylink com>
Date: Tue, 15 Nov 2011 16:19:29 -0500 (EST)
----- Original Message -----

From: "Joe Greco" <jgreco () ns sol net>



And some products, say like FreeBSD (which forms the heart of things
like pfSense, so let's not even begin to argue that it "isn't a
firewall") can actually be configured to default either way.


By Owen's definition, it's not.


So basically, while we would all prefer that firewalls default to deny,
it probably isn't as important a distinction as this thread is making
it out to be, because even a "default to deny" firewall fails when a
naive admin makes a typo and allows all traffic from 0/0
inadvertently. It's just a matter of statistical likelihood.

Or perhaps a better argument would be that routers really ought to
default to deny. :-) I'd be fine with that, but I can hear the
screaming already.


But you're missing an important point here, Joe: we're not talking about
default configuration... we're talking about *failure modes*, which are by
definition unpredictable.

All you can really do there is figure the probabilities... and the probability
is that a *router-based* firewall (which as you and I agree, is a helluva lot
of firewalls) will *be more likely* to fail into pass traffic mode than into
don't pass traffic mode.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274
Previous By Date Next
Previous By Thread Next

Current thread: