On 07/01/2014 01:55 PM, Fred Baker (fred) wrote: > > That is a place I have well and truly scratched my head regarding > the firewall discussion in the IETF. There’s a set of people, > including me, that think that firewalls have a certain levee of > utility and in any event are a business requirement. FWIW, I'm in this camp. > Where my head tips is this. I see three kinds of traffic across > that divide. One is sessions originated from the network - I sent > something to Netflix, Facebook, or whoever, and it replied. The > vast majority of residential traffic, I would guess, falls in that > category, and apart from electric mail and traffic to business > services to customers, I would guess that the vast majority of > legitimate enterprise traffic does as well. A second is sessions > originated from outside the network to services that the network > intends to offer - web access to www.example.com, incoming SMTP, my > daughter’s surveillance service (which is a web access), and so on. > The third is “everything else” - traffic that wasn’t invited and > has no application, and perhaps no host, to respond to it. > > The first works in almost any case - a firewall that prevents you > from running an application you want to run isn’t going to last > very long. The second is trivially allowed for by a firewall rule > or PCP/UPnP exchange, and if there is an application (set-top box > or whatever) in the home that wants to allow for such a service, > it can fire off the request. The third - what is the argument for > letting that into my home or enterprise network? Could you provide an example of this "third" traffic? > And I tend to think that the conversation breaks down at that > point. Everyone agrees on the first and second. When someone says > “I want to block the third”, the response is “but I want to allow > the second” without acknowledging or commenting on the third. And > I just find myself shaking my head in disbelief. Wouldn’t it be > nice of both speakers in the conversation would address the same > subject? I guess the fos arguing "but I want to allow the second" really mean "I want to allow the second with no manual configuration or upnp-kind-of-thing"? Thanks, -- Fernando Gont e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1