Part of the issue is that a firewall doesn't actually do much to help a properly secured host and they just makes applications harder to develop as they need to start punching holes in multiple firewalls. It just drops a little traffic which would otherwise be rejected immediately or dropped after timeout by the host. Additionally firewall developer do not keep up to date with protocol changes (how many firewalls, 15 years after EDNS was developed, still think that DNS/UDP packets are 512 bytes). They are often used to incorrectly to block legitimate traffic (icmp PTB, fragments) associated with "wanted" flows. They are themselves a attackable DoS point due to table exhaustion. They also don't encourage other manufactures to take security of their products into proper consideration. Just because they are inside a "firewall" doesn't mean that they are in a safe environment yet that is the attitude some manufactures seem to take. Also once the application punches holes in the firewall may as not be there as the service is exposed. What I do want to see in a firewall is outbound BCP38 style filters by default. Hosts will get compromised with or without a firewall. They will emit spoofed traffic. Most NAT boxes are pretty good at turning spoofed traffic into legitimately sourced traffic when it appears on the Internet. Firewalls should be protecting the Internet from the home as they don't do much to protect the home from the Internet. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx