----- Original Message ----- > From: "Joe Greco" <jgr...@ns.sol.net>
> And some products, say like FreeBSD (which forms the heart of things > like pfSense, so let's not even begin to argue that it "isn't a > firewall") can actually be configured to default either way. By Owen's definition, it's not. > So basically, while we would all prefer that firewalls default to deny, > it probably isn't as important a distinction as this thread is making > it out to be, because even a "default to deny" firewall fails when a > naive admin makes a typo and allows all traffic from 0/0 > inadvertently. It's just a matter of statistical likelihood. > > Or perhaps a better argument would be that routers really ought to > default to deny. :-) I'd be fine with that, but I can hear the > screaming already. But you're missing an important point here, Joe: we're not talking about default configuration... we're talking about *failure modes*, which are by definition unpredictable. All you can really do there is figure the probabilities... and the probability is that a *router-based* firewall (which as you and I agree, is a helluva lot of firewalls) will *be more likely* to fail into pass traffic mode than into don't pass traffic mode. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274