Patrick M. Hausen wrote:

>Hi!
>
>On Tue, Nov 27, 2007 at 09:18:20PM -0800, Darren Reed wrote:
>
>
>>>State tables allow your firewall to have a deny-all
>>>default inbound policy and an allow-all default outbound policy. They allow
>>>you to assume that the Internet cannot be trusted and that your internal
>>>network can be.
>>>
>>>

>>I don't see how this is any different to any other firewall.
>>
>>

>
>Strict proxy firewalls cannot implement an "allow all outbound" policy.
>
>


I'm sure I could make one do it.

Or I could build one that does:
- use IPFilter's rdr NAT rules to send all incoming TCP connections
to a single socket;
- write a daemon that listens to that single socket and makes the
outbound connection, faithfully copying data in both directions.
= voila! Non-routing based proxy firewall that allows through all
TCP connections. UDP is a bit more tricky but nonetheless doable.

>And all the "proxy by design but packet filters as an addon" products,
>I have seen so far, ship with only proxy rules enabled in their
>default configuration.
>
>So they are less convenient for a certain class of users and some
>applications "do not work" out of the box. Which is the point of
>the firewall. Which is a point a certain class of users does not get.
>
>


So what you're really comparing is the default configuration
of packet based firewalls with proxy based firewalls.

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards