> > I believe the primary purpose of firewalls should be to > > protect the network, not the hosts, from abusive or > > unauthorized usage. > > I do not agree with this. The primary purpose of firewalls is to protect > BOTH the network and the hosts. the reason I disagree is that fundamentally, there's no way that a firewall can reliably distinguish legitimate traffic from illegitimate traffic, and there's no way that a firewall can exclude all (or in many cases even most) threats. to do that it would have to be smarter than the application. a firewall can thwart some subset of threats, or a firewall can block legitimate traffic. what it cannot do is remove the burden from hosts and applications to implement reliable security. OTOH, the network cannot expect hosts to protect it; it must protect itself. that's why I say that the primary purpose of firewalls is to protect the network. if the firewall can also provide security in depth for hosts, that's useful, but that's just a backup - there's no way to have confidence in the security of a host that relies on firewalls as its primary means of protection. > > an intermediary MUST NOT alter the source or destination > > field in an IP header. > > There is nothing wrong with this if another intermediary puts it back > the way it was originally, preserving end-to-end traffic. if you're talking about RSIP, I don't think that's true, because IIRC it still requires hosts and apps to be aware of addressing realms.