Sent from my iPad

On Nov 15, 2011, at 4:10 PM, Jay Ashworth <j...@baylink.com> wrote:

> ----- Original Message -----
>> From: "Owen DeLong" <o...@delong.com>
> 
>> If your firewall is not working, it should not be passing packets.
> 
> Yes; your arguments all seem to depend on that property being true.
> 
> But we call it a *failure* for a reason, Owen.  

If your firewall has failed to such an extent, all bets are off about what it 
does or does not pas regardless of whether or not it mutilates the headers.

> 
> What the probability is of a firewall failing in such a fashion as to *stop
> filtering, but still pass packets* depends -- as you have pointed out -- 
> entirely on its design.
> 
> As *I* have pointed out, not all firewalls are created equal, and there are
> a helluva a lot of them out there for which this desirable property *simply
> is not true*.

Then I would, by definition call them routers, not firewalls.

> 
> Sticking your head in the sand on this point is not especially productive.

I'm not sticking my head in the sand about anything. I am pointing out that 
mutilating the packet header only reduces security. It does not improve it.

Owen


Reply via email to