Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: How automate firewall tests
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Mon, 21 Aug 2006 09:30:49 -0400

Patrick M. Hausen wrote:
Blocking ICMP completely breaks PMTUD.

Oh, THAT again.

You've got it backwards. PMTUD is already broken; blocking ICMP simply
makes that breakage apparent.

When standards bodies deliberately standardize feature-sets that they
are informed in advance are going to cause security problems, this is what you get.
There was a time when a lot of the "internet pioneers" felt that firewalls were "evil"
and that security interfered with the correct operation of the Internet ("information
must be free!")  That agenda resulted in some weird collisions with
objective reality. I recall a time when lots of "internet pioneers" would go around
saying stuff like "When IPV6 is here and nobody needs firewalls anymore.."
or "Router ACLs are good enough." etc. And people wonder why the
Internet protocol stack looks like it was cobbled together by a committee
of amateurs and prima donnas: it was.


firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]