COM (Paul Rubin) writes:
# I hope this list's readers don't mind my plugging the product I work
# on, but the Telebit NetBlazer can filter on all these parameters
# except for source port. We will probably add a source port parameter
# to a future release. We *do* listen to what users ask for.
AND except for the fact that the NetBlazer reorders and recombines the
rules in the filters something awful. In every release I've tried so
far, there have been bugs in this procedure, and the NetBlazer has
converted what should be a working rule set into an not-working pile
My suggestions to Telebit all along have been two-fold: add filtering
on source port, and quit trying to reorder and reduce the rules
specified by the user.
Filtering on source port is not just "one minor little thing that we
don't happen to do" (and it's not just Telebit who has told me that),
it's a major thing that greatly reduces the effectiveness of packet
filtering as a security mechanism.
Building correct and complete filter sets is difficult enought without
having to second-guess what strange and wonderful ways the router is
going to rewrite your carefully consturcted filters.
If somebody is going to plug their products on Firewalls, I intend to
be pretty merciless about exposing what I consider to be design flaws
in their products, and I encourage others to do likewise (but keep it
civil). It may seem like I'm always picking on Telebit and Cisco, but
that's only because those are the two products I'm most familiar with.
Most of the other vendors I've looked at don't even get it as close to
correct as Telebit and Cisco, so I don't even bother mentioning them.
(How's that for a back-handed compliment? :-)
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041