Felipe Alfaro Solana wrote:
On Mon, Apr 27, 2009 at 1:10 AM, bofh <goodb...@gmail.com> wrote:
People use it because they have a need to do something. When you're
told there's a better way to do things, pay attention,
Still no arguments on why idiots use transparent firewalls. Good to know.
Just read up on.. for instance OpenVPN maillists. People get stuck, they
figure they must go to layer-2 solutions because they cant be arsed to
figure out how this weird routing thing works, and they switch to
bridging since "now I can see the WINS server on the other end!" and
they figure everything is nice and good, whereas they now send every
broadcast over everyones VPNs. And lots more.
Same thing with Layer-2 firewalls. People see how it must be good, since
now I dont have to figure out this routing thing, nor design my network
so it must be a good thing to run L2 fws. Then they start using it, and
sooner or later they want to add something to the FW, like VPN enpoints,
proxies, relays, remote-manageability or whatever and then this ip-less
bridge FW isnt so smart after all, but since you have wedged yourself
into the L2 solution, redesigning is still off the map, so adding even
more nonstandard shit to the L2 and cursing how sucky PF is or how weird
OBSD is becomes the only way out for the admin without a clue.
Have we seen this before? Sure. Been there, tried that.
Now, you can do all the 15 steps required to paint yourself and your
network in a corner, OR, you can listen to advice.
I dont even claim to be one of those gurus, I just know that the advice
is sound. I did bridging FWs when OBSD had IPF and it was stupid then.
It hasn't become less stupid since, for most setups.
Yes, there are corner cases, but mine wasn't at the time. Chances are
most peoples cases aren't either.