Re: [fw-wiz] How automate firewall tests

Patrick M. Hausen wrote:
Blocking ICMP completely breaks PMTUD.

Oh, THAT again.

You've got it backwards. PMTUD is already broken; blocking ICMP simply
makes that breakage apparent.

When standards bodies deliberately standardize feature-sets that they
are informed in advance are going to cause security problems, this is what you get.
There was a time when a lot of the "internet pioneers" felt that firewalls were "evil"
and that security interfered with the correct operation of the Internet ("information
must be free!") That agenda resulted in some weird collisions with
objective reality. I recall a time when lots of "internet pioneers" would go around
saying stuff like "When IPV6 is here and nobody needs firewalls anymore.."
or "Router ACLs are good enough." etc. And people wonder why the
Internet protocol stack looks like it was cobbled together by a committee
of amateurs and prima donnas: it was.


firewall-wizards mailing list