[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
On Apr 10, 2007, at 5:45 PM, Rémi Denis-Courmont wrote:
So... there seems to be a need for a mechaninism to open pinholes
not expect the average user be able to do that).
The hot debate around ICE & ANAT on MMUSIC at last IETF also hinted at
IPv6 stateful firewalls, very much like IPv4 (though of course there
should be no address/port translation).
of course there will be stateful firewalls.
I compare this to the health management system of the human body.
Apart from blood loss and things like that, the mechanisms that keep
the body healthy would mostly do so without the skin. But the skin
makes it ever so much more effective.
Firewalls that permit the end to end principle to remain in force are
a good thing for networks. Where the so-called "personal firewall" on
a desktop/laptop protects the system, the firewall protects the
investment in the network and provides a second layer of defense for
Doesn't SOCKS/GSSAPI open pinholes in firewalls?
And the stateful firewalls I am most familiar with actually open
pinholes automagically. They observe SYN-etc messages going out and
open pinholes for the responses. Where one needs to do more is with
protocols where the originatig message is incoming. I would expect
(in keeping with the stateful firewalls I am most familiar with) that
this is done with an access list that allows SMTP to the incoming
mail server, WWW to the web server, and so on. A SIP proxy can
similarly open a pinhole for a SIP data call.