Re: Firewalls that generate new packets..

[Darren Reed <Darren.Reed () Sun COM>]

Patrick M. Hausen wrote:

> Hi!
>
> On Tue, Nov 27, 2007 at 09:18:20PM -0800, Darren Reed wrote:
>  
>
> > > State tables allow your firewall to have a deny-all
> > > default inbound policy and an allow-all default outbound policy.  They allow
> > > you to assume that the Internet cannot be trusted and that your internal
> > > network can be.
> > >      
> > I don't see how this is any different to any other firewall.
> >    
>
> Strict proxy firewalls cannot implement an "allow all outbound" policy.
>  

I'm sure I could make one do it.

Or I could build one that does:
- use IPFilter's rdr NAT rules to send all incoming TCP connections
  to a single socket;
- write a daemon that listens to that single socket and makes the
  outbound connection, faithfully copying data in both directions.
= voila!  Non-routing based proxy firewall that allows through all
TCP connections.  UDP is a bit more tricky but nonetheless doable.

> And all the "proxy by design but packet filters as an addon" products,
> I have seen so far, ship with only proxy rules enabled in their
> default configuration.
>
> So they are less convenient for a certain class of users and some
> applications "do not work" out of the box. Which is the point of
> the firewall. Which is a point a certain class of users does not get.
>  

So what you're really comparing is the default configuration
of packet based firewalls with proxy based firewalls.

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards