Sent from my iPad
On Nov 15, 2011, at 4:10 PM, Jay Ashworth <j...@baylink.com> wrote: > ----- Original Message ----- >> From: "Owen DeLong" <o...@delong.com> > >> If your firewall is not working, it should not be passing packets. > > Yes; your arguments all seem to depend on that property being true. > > But we call it a *failure* for a reason, Owen. If your firewall has failed to such an extent, all bets are off about what it does or does not pas regardless of whether or not it mutilates the headers. > > What the probability is of a firewall failing in such a fashion as to *stop > filtering, but still pass packets* depends -- as you have pointed out -- > entirely on its design. > > As *I* have pointed out, not all firewalls are created equal, and there are > a helluva a lot of them out there for which this desirable property *simply > is not true*. Then I would, by definition call them routers, not firewalls. > > Sticking your head in the sand on this point is not especially productive. I'm not sticking my head in the sand about anything. I am pointing out that mutilating the packet header only reduces security. It does not improve it. Owen