> If you have a lousy firewall (i.e., one that is doing nothing more than > keeping a UDP session open), yes, absolutely. However, good firewalls > are doing a lot more than that.
Some of us have seen too much damage done by firewalls to DNS, SMTP and a number of other protocols to really believe in this. > Now, if you put in a piece-o-crap firewall that is misconfigured, too > slow, doesn't have a big enough session table, and doesn't do anything > more than your average reflexive access control list, then you're right > on: rip that junk out and go bareback. It would seem that the piece-o-crap firewalls vastly outnumber the good firewalls. See, for instance, the discussions on various DNS lists about firewalls and EDNS0. > But if you do it right, there is value to be provided by a firewall. In some circumstances, agreed. For DNS servers (whether recursive or authoritative), absolutely not. Steinar Haug, Nethelp consulting, sth...@nethelp.no _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/