home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.tcp-ip
- Path: sparky!uunet!shearson.com!snark!pmetzger
- From: pmetzger@snark.shearson.com (Perry E. Metzger)
- Subject: Re: Firewall usage (was: Re: ping works, but ftp/telnet get "no route)
- Message-ID: <1992Jul27.230721.4772@shearson.com>
- Sender: news@shearson.com (News)
- Organization: /usr/local/lib/news/organization
- References: <1992Jul23.142026.20112@sci34hub.sci.com> <1992Jul24.161006.12786@practic.com> <151os4INNm3n@agate.berkeley.edu>
- Date: Mon, 27 Jul 1992 23:07:21 GMT
- Lines: 19
-
- In article <151os4INNm3n@agate.berkeley.edu> cliff@garnet.berkeley.edu (Cliff Frost) writes:
- >The follow on point (which ji referred to), is that IP (and UDP/TCP and
- >the support infrastructure) was designed for end-to-end connectivity, so
- >firewalls and mail relays break the architectural model. It's pretty hard
- >to argue with this also.
-
- I'll argue with it. Firewalls don't have to be designed to prohibit
- all forms of end to end connectivity; good firewalls will allow you to
- do things like set up outgoing TCP/IP links and not incoming ones. Its
- thus possible to set up reasonable end to end communication for
- certain services without opening yourself up too badly to the outside
- world. Yeah, its possible to shanghai existing connections, but the
- damage the bad guy can do is limited for most services.
-
- --
- Perry Metzger pmetzger@shearson.com
- --
- Just say "NO!" to death and taxes.
- Extropian and Proud.
-