Firewall Wizards mailing list archives
Firewalls breaking stuff: [Was re: fwtk]
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 18 Jul 2002 17:57:03 -0400
Charles W. Swiger wrote:
To focus more on topics more relevant for this list, one of the biggest problems certain firewalls and mail proxies have is that they break the SMTP protocol. For example, Cisco's PIX (with MailGuard?) attempts to proxy SMTP and breaks the state machine defined in RFC-821 or -822, as well as preventing ESMTP and violating the SMTP banner requirements.
This comes up periodically - and it's the focus of considerable stress for firewall product builders who care about security. What should a firewall do with things that are specified in an RFC that are stupid? Obviously, something has to break. Historically, I've never felt remorse over violating RFCs where they are stupid. After all, they say right in the RFC "this RFC does not address security" which means that any system which _does_ address security need not concern itself with the RFC. ;) When I broke FTP bouncing in fwtk and broke FTP server side low-port binding, I had a flurry of complaints that I was trampling on RFCs. I believe that I was retroactively fixing them - standards are not something handed down by a priesthood; they're just advice from a bunch of standards pukes who "do not address security" If you're trying to address security it's entirely acceptable and, indeed, the only option, to implement a subset of a dangerous protocol. mjr. --- Marcus J. Ranum - Computer and communications Security Expertise mjr () ranum com (http://www.ranum.com) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: FWTK and smap/smapd, (continued)
- Re: FWTK and smap/smapd Adam Shostack (Jul 17)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 17)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 18)
- Re: FWTK and smap/smapd Darren Reed (Jul 18)
- Re: FWTK and smap/smapd Charles W. Swiger (Jul 17)
- Re: FWTK and smap/smapd Rick Murphy (Jul 17)
- Re: FWTK and smap/smapd Devdas Bhagat (Jul 17)
- Re: FWTK and smap/smapd Rick Murphy (Jul 17)
- Re: FWTK and smap/smapd Charles W. Swiger (Jul 17)
- Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Dominik Miklaszewski (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles Swiger (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 22)