Keith, >>> Keith Moore wrote: >>> I believe the primary purpose of firewalls should be to >>> protect the network, not the hosts, from abusive or >>> unauthorized usage. >> Michel Py wrote: >> I do not agree with this. The primary purpose of firewalls is >> to protect BOTH the network and the hosts. > the reason I disagree is that fundamentally, there's no way > that a firewall can reliably distinguish legitimate traffic > from illegitimate traffic, This is flat out untrue. Below are a few examples of illegitimate traffic that my firewall trashed recently. Jun 16 17:05:38.324 PST: %IDS-4-HTTP_WWW_HOST_FIELD_OVFLOW_SIG: Sig:5123:WWW Host Field overflow - from 204.116.211.240 to 192.168.1.4 Jun 16 23:22:54.319 PST: %IDS-4-UDP_BOMB_SIG: Sig:4050:UDP Bomb - from 206.13.31.12 to 209.233.126.65 Jun 18 11:28:58.906 PST: %IDS-4-HTTP_IIS_DOTDOT_EXE_SIG: Sig:3215: IIS DOT DOT EXECUTE Attack - from 200.38.190.140 to 192.168.1.4 > what it cannot do is remove the burden from hosts and > applications to implement reliable security. This is unexpected coming from you. Look again at the last example I pasted. Do _you_ suggest that I should trust _that_ vendor to implement reliable security? >>> an intermediary MUST NOT alter the source or destination >>> field in an IP header. >> There is nothing wrong with this if another intermediary puts it >> back the way it was originally, preserving end-to-end traffic. > if you're talking about RSIP, I don't think that's true, because > IIRC it still requires hosts and apps to be aware of addressing > realms. I was talking about MHAP which is transparent to hosts and apps. Michel.