nanog mailing list archives

Re: ACLs vs. full firewalls

From: Karl Auer <kauer () biplane com au>
Date: Wed, 08 Apr 2009 09:20:34 +1000

On Wed, 2009-04-08 at 10:46 +1200, Nathan Ward wrote:

I'd be interested to hear why people use firewalls.

End hosts are not always trustworthy.

If a host is compromised, should it be able to send anything and  
everything out to the public network?


A packet filter looks at the "top surface" of the packet, and processes
the packet accordingly - based on things like the protocol, the source
address, the destination address, the TCP flags and so on.

A firewall, on the other hand, makes decisions based on knowledge about
the data being carried.

I.e., firewall != packet filter; my question related to firewalls.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer () biplane com au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

ACLs vs. full firewalls Michael Helmeste (Apr 07)
- Re: ACLs vs. full firewalls Justin M. Streiner (Apr 07)
- Re: ACLs vs. full firewalls Eric Gauthier (Apr 07)
  - Re: ACLs vs. full firewalls Michael Helmeste (Apr 07)
- Re: ACLs vs. full firewalls Matthew Petach (Apr 07)
- Re: ACLs vs. full firewalls Mark Smith (Apr 07)
  - Re: ACLs vs. full firewalls Karl Auer (Apr 07)
    - Re: ACLs vs. full firewalls Nathan Ward (Apr 07)
    - Re: ACLs vs. full firewalls Karl Auer (Apr 07)
    - Re: ACLs vs. full firewalls Steven M. Bellovin (Apr 07)
    - Re: ACLs vs. full firewalls Ravi Pina (Apr 15)
  - RE: ACLs vs. full firewalls TJ (Apr 15)
- RE: ACLs vs. full firewalls Crooks, Sam (Apr 07)
- Re: ACLs vs. full firewalls Roland Dobbins (Apr 07)
  - Re: ACLs vs. full firewalls ubaidali_abdul_razack (Apr 07)