Felipe Alfaro Solana wrote:
On Mon, Apr 27, 2009 at 1:10 AM, bofh <goodb...@gmail.com> wrote:
People use it because they have a need to do something.  When you're
told there's a better way to do things, pay attention,

Still no arguments on why idiots use transparent firewalls. Good to know.

Just read up on.. for instance OpenVPN maillists. People get stuck, they figure they must go to layer-2 solutions because they cant be arsed to figure out how this weird routing thing works, and they switch to bridging since "now I can see the WINS server on the other end!" and they figure everything is nice and good, whereas they now send every broadcast over everyones VPNs. And lots more.

Same thing with Layer-2 firewalls. People see how it must be good, since now I dont have to figure out this routing thing, nor design my network so it must be a good thing to run L2 fws. Then they start using it, and sooner or later they want to add something to the FW, like VPN enpoints, proxies, relays, remote-manageability or whatever and then this ip-less bridge FW isnt so smart after all, but since you have wedged yourself into the L2 solution, redesigning is still off the map, so adding even more nonstandard shit to the L2 and cursing how sucky PF is or how weird OBSD is becomes the only way out for the admin without a clue.

Have we seen this before? Sure. Been there, tried that.

Now, you can do all the 15 steps required to paint yourself and your network in a corner, OR, you can listen to advice.

I dont even claim to be one of those gurus, I just know that the advice is sound. I did bridging FWs when OBSD had IPF and it was stupid then. It hasn't become less stupid since, for most setups.

Yes, there are corner cases, but mine wasn't at the time. Chances are most peoples cases aren't either.

Reply via email to