nanog mailing list archives
Re: Arguing against using public IP space
From: Jay Ashworth <jra () baylink com>
Date: Tue, 15 Nov 2011 16:19:29 -0500 (EST)
----- Original Message -----
From: "Joe Greco" <jgreco () ns sol net>
And some products, say like FreeBSD (which forms the heart of things like pfSense, so let's not even begin to argue that it "isn't a firewall") can actually be configured to default either way.
By Owen's definition, it's not.
So basically, while we would all prefer that firewalls default to deny, it probably isn't as important a distinction as this thread is making it out to be, because even a "default to deny" firewall fails when a naive admin makes a typo and allows all traffic from 0/0 inadvertently. It's just a matter of statistical likelihood. Or perhaps a better argument would be that routers really ought to default to deny. :-) I'd be fine with that, but I can hear the screaming already.
But you're missing an important point here, Joe: we're not talking about default configuration... we're talking about *failure modes*, which are by definition unpredictable. All you can really do there is figure the probabilities... and the probability is that a *router-based* firewall (which as you and I agree, is a helluva lot of firewalls) will *be more likely* to fail into pass traffic mode than into don't pass traffic mode. Cheers, -- jra -- Jay R. Ashworth Baylink jra () baylink com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Current thread:
- Re: Arguing against using public IP space, (continued)
- Re: Arguing against using public IP space Cameron Byrne (Nov 15)
- Re: Arguing against using public IP space -Hammer- (Nov 15)
- Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space david raistrick (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Joe Greco (Nov 15)
- Re: Arguing against using public IP space Leigh Porter (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Mark Andrews (Nov 15)
- Re: Arguing against using public IP space Karl Auer (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space Jay Ashworth (Nov 16)
- Re: Arguing against using public IP space Ray Soucy (Nov 16)
- Re: Arguing against using public IP space Dave Hart (Nov 16)