Michael J McCafferty wrote:
I disagree with *you* (agree with Neil). This negotiation of a new high port to transfer the data on is dumb because the firewall, unless it is an application proxy, has no way to know what specific ports to allow the returning data on.
Thus the inherent problem in firewalls. They break the Internets fundamental end to end (or peer to peer, if you wish) nature. Host based security can accomplish the same thing much more reliably without breaking so much of the Internet.
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
