----- Original Message -----
From: "Joe Greco" <jgreco@ns.sol.net>
And some products, say like FreeBSD (which forms the heart of things like pfSense, so let's not even begin to argue that it "isn't a firewall") can actually be configured to default either way.
By Owen's definition, it's not.
Then Owen's definition is wrong, because the vast majority of "firewall" devices out there are software-based devices.
So basically, while we would all prefer that firewalls default to deny, it probably isn't as important a distinction as this thread is making it out to be, because even a "default to deny" firewall fails when a naive admin makes a typo and allows all traffic from 0/0 inadvertently. It's just a matter of statistical likelihood.
Or perhaps a better argument would be that routers really ought to default to deny. :-) I'd be fine with that, but I can hear the screaming already.
But you're missing an important point here, Joe: we're not talking about default configuration... we're talking about *failure modes*, which are by definition unpredictable.
But I'm *not* missing the point. You missed mine. The fact of the matter is that routers don't come with firewall-by-default, we've failed to find ways to make it easier for people to firewall things properly than it is to open the gates. Or even notice that their gates are wide open. That's a problem.
All you can really do there is figure the probabilities... and the probability is that a *router-based* firewall (which as you and I agree, is a helluva lot of firewalls) will *be more likely* to fail into pass traffic mode than into don't pass traffic mode.
That depends on too many factors to really be able to make that call. On the equally cutting side for NAT proponents, there are some attacks against NAT devices that often succeed that shouldn't. I'm not trying to defend the firewall thing. That discussion is boring and dull, it's about the state of one bit, as I pointed out, which is the NANOG equivalent of how many angels can dance on the head of a pin. I was merely taking what seemed to be a good opportunity to point out that there's a more abstract failing here, which is that we have failed to make it easy to firewall by default. I don't mean "default to blocking packets." I mean that we've failed to make it easy for router owners to do abstract things like say "this network's a bunch of clients, and should be statefully firewalled for outbound connections only" and make it as easy (or easier) to do that than it is to open the connection wide open. Failing to put roadblocks in place where you could have roadblocks makes a network easier to penetrate. But I think I've made my point. The obvious, real, clear problem with many SCADA networks is that they're built out of garbage, with garbage software stacks, with no apparent thought given to security. On the Internet, we've typically dealt with that sort of stuff by beating it senseless (open SMTP relay, etc) and then replacing it. Adding layers to protect the "soft gooey center", as someone put it, helps, of course, but is only a band-aid solution. Who here would go passwordless on their OOB management network? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.