> Marcus J. Ranum writes:
> Really, one shouldn't be connected in the first place without
> having already done all that stuff. You only run into the problem of
> having users complaining that things have changed if you did it wrong
> the first time.
This is easy to say, but there are many of us who have been connected
to the Internet for a long time. Long enough that when we first got
connected, there really wasn't a "hacker problem". The Internet was
new then and hardly anyone knew its intricacies and those who did
were mostly trustworthy. We can hardly be faulted because we failed to
predict the future accurately. So doing it "wrong" the first time
is, IMHO, a value judgment based on 20/20 hindsight.
I am not trying to start a flame war here, just pointing out that
you can also get into the problem of having to force users to accept
changes due to circumstances completely beyond your control, such
as, the net has changed a lot since we first hooked up. And therefore,
discussing how to break changes to users is an appropriate subject
for potential firewall administrators to discuss and the fact that
it is necessary to discuss it does not necessarily indicate poor planning
or incompetence on the part of those administrators.