tech-net: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.

Subject: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.
To: Andrew Brown <atatat@atatdot.net>
From: Perry E. Metzger <perry@piermont.com>
List: tech-net
Date: 05/06/2000 15:52:46

Andrew Brown <atatat@atatdot.net> writes:
> >>>>>> "Andrew" == Andrew Brown <atatat@atatdot.net> writes:
> >    Andrew> if you're a firewall, you should have ipforwarding off and you should
> >    Andrew> be proxying services.  if you're forwarding packets, you're *NOT* a
> >    Andrew> firewall.
> >
> >  As someone who made a lot of money in the early/mid 90s selling proxy-based
> >firewalls, I'm not going to argue this point. The difference between a fully
> >stateful packet filter and a proxy based system is largely academic now.
> 
> i'll grant you that, but it's still much harder to break a proxy so
> that it accidentally forwards every connection attempt.

That's true, but our goal is not to make things secure only for people
that configure things one way. Lets try to be nice to *everyone*.

Perry