[109262] in Cypherpunks
CDR: Re: Firedoors (fired Oors ?) (fwd)
daemon@ATHENA.MIT.EDU (Jim Choate)
Mon Mar 15 20:51:40 1999
From: Jim Choate <ravage@einstein.ssz.com>
To: cypherpunks@einstein.ssz.com
Date: Mon, 15 Mar 1999 19:36:20 -0600 (CST)
Reply-To: Jim Choate <ravage@einstein.ssz.com>
----- Forwarded message from Secret Squirrel -----
Date: 15 Mar 1999 22:30:14 -0000
From: Secret Squirrel <secret_squirrel@nym.alias.net>
Subject: CDR: Re: Firedoors (fired Oors ?)
You missed the point. Declared function of firewalls is irrelevant here.
Firewall security is based on ignorance. Application level proxies are not
smart enough to do content-based filtering, therefore, if they allow some
semantics to pass through than they will allow all.
----- End of forwarded message from Secret Squirrel -----
Actualy an ideal firewall is meant to do source level (ie IP & hostname)
routing control (eg no IP forwarding) across multiple nic's on a single box.
It's also one-way, driven by internaly generated tos requests going out into
the cloud (eg /etc/host.deny being 'all:all').
But, the point is that using firewalls for content filtering is like using a
16lb. sledge to swat flies. There are other, much more effective ways to do
those sorts of things (eg ttysnoop). Use firewall technology to filter
packets to /dev/null based on IP and hostname.domain. With a suitably smart
nic you could do it at the card level eliminating quite a few interrupts I
suspect. It also helps with security because if the data is dumped at the
nic there ain't ever a chance to run it on the cpu.
____________________________________________________________________
The trouble with acting according to your conscience is that
once you start doing it, nobody can trust you any more.
Alexis A. Gilliland
The Armadillo Group ,::////;::-. James Choate
Austin, Tx /:'///// ``::>/|/ ravage@ssz.com
www.ssz.com .', |||| `/( e\ 512-451-7087
-====~~mm-'`-```-mm --'-
--------------------------------------------------------------------
