[146550] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Tue Nov 15 16:19:42 2011
Date: Tue, 15 Nov 2011 16:19:29 -0500 (EST)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <201111151754.pAFHsk4t094745@aurora.sol.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Joe Greco" <jgreco@ns.sol.net>
> And some products, say like FreeBSD (which forms the heart of things
> like pfSense, so let's not even begin to argue that it "isn't a
> firewall") can actually be configured to default either way.
By Owen's definition, it's not.
> So basically, while we would all prefer that firewalls default to deny,
> it probably isn't as important a distinction as this thread is making
> it out to be, because even a "default to deny" firewall fails when a
> naive admin makes a typo and allows all traffic from 0/0
> inadvertently. It's just a matter of statistical likelihood.
>
> Or perhaps a better argument would be that routers really ought to
> default to deny. :-) I'd be fine with that, but I can hear the
> screaming already.
But you're missing an important point here, Joe: we're not talking about
default configuration... we're talking about *failure modes*, which are by
definition unpredictable.
All you can really do there is figure the probabilities... and the probability
is that a *router-based* firewall (which as you and I agree, is a helluva lot
of firewalls) will *be more likely* to fail into pass traffic mode than into
don't pass traffic mode.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
