Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: Darren Reed <Darren.Reed () Sun COM>
Date: Wed, 28 Nov 2007 14:46:53 -0800
Patrick M. Hausen wrote:
Hi! On Tue, Nov 27, 2007 at 09:18:20PM -0800, Darren Reed wrote:State tables allow your firewall to have a deny-all default inbound policy and an allow-all default outbound policy. They allow you to assume that the Internet cannot be trusted and that your internal network can be.I don't see how this is any different to any other firewall.Strict proxy firewalls cannot implement an "allow all outbound" policy.
I'm sure I could make one do it. Or I could build one that does: - use IPFilter's rdr NAT rules to send all incoming TCP connections to a single socket; - write a daemon that listens to that single socket and makes the outbound connection, faithfully copying data in both directions. = voila! Non-routing based proxy firewall that allows through all TCP connections. UDP is a bit more tricky but nonetheless doable.
And all the "proxy by design but packet filters as an addon" products, I have seen so far, ship with only proxy rules enabled in their default configuration. So they are less convenient for a certain class of users and some applications "do not work" out of the box. Which is the point of the firewall. Which is a point a certain class of users does not get.
So what you're really comparing is the default configuration of packet based firewalls with proxy based firewalls. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Message not available
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Anton Chuvakin (Nov 28)
- Re: Firewalls that generate new packets.. jason (Nov 27)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 28)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 29)
- Re: Firewalls that generate new packets.. lordchariot (Nov 29)
- Re: Firewalls that generate new packets.. Cat Okita (Nov 26)
- Re: Firewalls that generate new packets.. Chris Blask (Nov 26)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 26)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 26)
- Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 26)
- Message not available
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 26)