home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!olivea!decwrl!csus.edu!netcomsv!iscnvx!leadsv!practic!brunner
- From: brunner@practic.com (Thomas Eric Brunner)
- Newsgroups: comp.protocols.tcp-ip
- Subject: Re: Firewall usage (was: Re: ping works, but ftp/telnet get "no route)
- Message-ID: <1992Jul24.161006.12786@practic.com>
- Date: 24 Jul 92 16:10:06 GMT
- References: <BrruC8.FEo@spock.dis.cccd.edu> <BrsM1C.36v@cs.columbia.edu> <1992Jul23.142026.20112@sci34hub.sci.com>
- Reply-To: brunner@practic.UUCP (Thomas Eric Brunner)
- Organization: Practical Computing Inc., Sunnyvale
- Lines: 57
-
- In article <1992Jul23.142026.20112@sci34hub.sci.com> gary@sci34hub.sci.com (Gary Heston) writes:
- >In article <BrsM1C.36v@cs.columbia.edu> ji@cs.columbia.edu (John Ioannidis) writes:
- >>In article <BrruC8.FEo@spock.dis.cccd.edu> markb@spock.dis.cccd.edu (Mark Bixby) writes:
- >>>Why would I be able to ping a site OK, but when I try to ftp or telnet to it
- >>>I receive a "no route to host" error? ....
-
- They are probably doing packet filtering based on ports at one or another of
- the routers under their adminstrative control, for reasons of their own.
-
- >>The site you are trying to ping is running a firewall gateway, because
- >>they're too lazy to beef up their host security and are relying on the
- >>firewall to protect themselves against external attacks.
-
- Hmm, an ad hominum explination, always a pleasure to read in a technical list.
- Having reluctently made a few dollars working for or against host security,
- I respectfully note to those not entirely convinced by the offered rational
- above, that for reasons of their own, the site in question, or any site,
- may have chosen to obtain hosts which meet specific local needs, and don't
- as yet meet a narrow subset of features thought of as offering "security"
- to ip- (or smtp-, or decnet-, or uucp-) addressable hosts. In short, they
- may be heterogeneous with some hosts meeting higher locally-defined needs
- than denial of unathorized use -- like computing for instance.
-
- >I have to take exception to this remark. Use of a firewall doesn't indicate
- >laziness on the part of a site; it most probably means that the persons
- >responsible for the Internet connection and security of the sites' net are
- >either too understaffed to maintain all the hosts on their site, or they
- >don't have control over all the hosts, and are therefore not able to make
- >them secure. And there are doubtless many sites that suffer from both
- >problems.
-
- They may also have intellectual property, or operational function, which
- they value sufficiently to attempt some form of administrative filtering,
- in addition to the staffing and competency issues.
-
- >>I wish I had a transcript of Dave Clark's talk at the IETF last week.
- >>He said some great things about firewall gateways and mailbridges, and
- >>how they've essentially destroyed the whole purpose of having an IP
- >>internet, and have forced a lot of us to use mail as a transport-level
- >>protocol.
-
- Dave is usually correct, but as he thinks quite a bit more than many, and
- says what he thinks, he is frequently not correct. Send him mail and ask
- for a copy, or invite him to write. Perhaps he's been misstated in this
- summary of his remarks. In any event, this was not one of the more important
- topics on the IETF adgenda, had it been, I'm sure there would have been
- other points of view expressed, as well as discussion of technical details
- of implementation, which are more to the point.
-
- I'm looking forward to John's posting, "Administrative Packet Filtering
- Considered Harmfull"... in comp.security.misc, or as an internet-draft...
-
- --
- #include <std/disclaimer.h>
- Eric Brunner, Tule Network Services
- uunet!practic!brunner or practic!brunner@uunet.uu.net
- trying to understand multiprocessing is like having bees live inside your head.
-
