[geeks] IPFilter experts?

[Greg A. Woods]

[ On Monday, November 11, 2002 at 22:03:44 (+0100), Mike Meredith wrote: ]
> Subject: Re: [geeks] IPFilter experts?
>
> Well I'm not a major TCP/IP expert and I'm running a very similar 
> firewall (with the change noted above). I haven't been fired, told I'm 
> an idiot (although I dare say I'm about to be), or lynched; in fact the 
> only problems I've had with the firewall are to do with users not 
> realising they might have to request odd-ball stuff.
> 
> I'm certainly curious to know what things I'm missing that means a major 
> TCP/IP expert is needed. You certainly need to have a pretty good 
> understanding of IP, and a basic understanding of routing 

Well, that's kinda what I mean.  You also have to have a good solid
understanding of how the various protocols interact, and so on too.

For example there are far too many firewall admins out there who think
all ICMP is plain old evil and don't seem to realize that for the most
part it's an absolutely a critical component of TCP.

>  but the 
> difficulties tend to be more political than technical (at least in an 
> academic environment)

Yes, too often that's the case.  Some nimrod power-hungry security
officer makes up a bunch of completely bogus rules after reading a
pamphlet or seeing some half-hour show about firewalls on TechTV or
what-have-you and the result ties everyone's hands for weeks.

You don't need an anal-retentive firewall if you know what you're
running on the inside, and if you don't know what you're running on the
inside then you'd be best off with a pair of wire cutters (or at worst a
plain old-fashioned application-level bastion gateway -- i.e. no
low-level packet flow whatsoever, not even NATed).

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods at ieee.org>;           <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>