>>>>> "Andrew" == Andrew Brown <atatat@atatdot.net> writes:
    Andrew> i'll grant you that, but it's still much harder to break a proxy so
    Andrew> that it accidentally forwards every connection attempt.  packet
    Andrew> filters can be easily broken (by clueless personnel) such that they
    Andrew> *do* forward too much.

  Yes, I agree completely. However, they promote NAT (BlackHole was the
first proxy based firewall that gave you option not to do NAT), and they
totally kill IPsec. I've repented, since I like IPsec more than I like
proxies :-)

    Andrew> your rules are supposed to distinguish between what needs to local and
    Andrew> what needs to be forwarded.  i thought that was the idea...

  Yes, they do. it is a pain.

  I want to write a rule for inbound and outbound connections (at the UDP/TCP
layer... they already have all the state that they need), and seperate
stateful rules for each possible forwarding direction. 

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [