This is a discussion on Re: [fw-wiz] Firewalls that generate new packets.. - Firewalls ; Patrick M. Hausen wrote: >Hi! > >On Tue, Nov 27, 2007 at 09:18:20PM -0800, Darren Reed wrote: > > >>>State tables allow your firewall to have a deny-all >>>default inbound policy and an allow-all default outbound policy. They allow >>>you ...
Patrick M. Hausen wrote:
>On Tue, Nov 27, 2007 at 09:18:20PM -0800, Darren Reed wrote:
>>>State tables allow your firewall to have a deny-all
>>>default inbound policy and an allow-all default outbound policy. They allow
>>>you to assume that the Internet cannot be trusted and that your internal
>>>network can be.
>>I don't see how this is any different to any other firewall.
>Strict proxy firewalls cannot implement an "allow all outbound" policy.
I'm sure I could make one do it.
Or I could build one that does:
- use IPFilter's rdr NAT rules to send all incoming TCP connections
to a single socket;
- write a daemon that listens to that single socket and makes the
outbound connection, faithfully copying data in both directions.
= voila! Non-routing based proxy firewall that allows through all
TCP connections. UDP is a bit more tricky but nonetheless doable.
>And all the "proxy by design but packet filters as an addon" products,
>I have seen so far, ship with only proxy rules enabled in their
>So they are less convenient for a certain class of users and some
>applications "do not work" out of the box. Which is the point of
>the firewall. Which is a point a certain class of users does not get.
So what you're really comparing is the default configuration
of packet based firewalls with proxy based firewalls.
firewall-wizards mailing list