Sent from my iPad On Nov 15, 2011, at 4:10 PM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Owen DeLong" <owen@delong.com>
If your firewall is not working, it should not be passing packets.
Yes; your arguments all seem to depend on that property being true.
But we call it a *failure* for a reason, Owen.
If your firewall has failed to such an extent, all bets are off about what it does or does not pas regardless of whether or not it mutilates the headers.
What the probability is of a firewall failing in such a fashion as to *stop filtering, but still pass packets* depends -- as you have pointed out -- entirely on its design.
As *I* have pointed out, not all firewalls are created equal, and there are a helluva a lot of them out there for which this desirable property *simply is not true*.
Then I would, by definition call them routers, not firewalls.
Sticking your head in the sand on this point is not especially productive.
I'm not sticking my head in the sand about anything. I am pointing out that mutilating the packet header only reduces security. It does not improve it. Owen