> I should have included one more aspect in the third set. That is > traffic disallowed by policy. Current top-of-mind in security > circles includes NTP attacks - someone sends a message with a > spoofed source address to an NTP server, which now sends > something to that address every mumble time units... Presumably, your firewall could have some kind of source address verification that takes care of such spoofing. As for "diode firewalls," they can be bypassed trivially using ICE, STUN, etc. That is, as long as the application is using UDP. Which means that instead of applications running over TCP, they will need to use some reliable transport over UDP. There are plenty of those... Now, we can debate whether the Internet will be a better place with diode firewalls instead of routers and transport over UDP instead of TCP. -- Christian Huitema