[c-nsp] cisco-nsp Digest, Vol 83, Issue 39
sthaug at nethelp.no
sthaug at nethelp.no
Mon Oct 12 15:37:52 EDT 2009
> If you have a lousy firewall (i.e., one that is doing nothing more than
> keeping a UDP session open), yes, absolutely. However, good firewalls
> are doing a lot more than that.
Some of us have seen too much damage done by firewalls to DNS, SMTP and
a number of other protocols to really believe in this.
> Now, if you put in a piece-o-crap firewall that is misconfigured, too
> slow, doesn't have a big enough session table, and doesn't do anything
> more than your average reflexive access control list, then you're right
> on: rip that junk out and go bareback.
It would seem that the piece-o-crap firewalls vastly outnumber the good
firewalls. See, for instance, the discussions on various DNS lists
about firewalls and EDNS0.
> But if you do it right, there is value to be provided by a firewall.
In some circumstances, agreed. For DNS servers (whether recursive or
authoritative), absolutely not.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the cisco-nsp
mailing list