"JE" == Jan Engelhardt <jengelh@linux01.gwdg.de> writes:
JE> On Dec 8 2006 02:04, Joachim Schrod wrote:
To quote Jon Postel in RFC 761, the TCP definition from Januay 1980, the last two lines on page 12:
be conservative in what you do, be liberal in what you accept from others.
Words to keep in mind, they served us well in more than 25 years -- RIP Jon Postel.
JE> You know where this RFC attitude brought us - Web browsers accepting JE> broken HTML, resulting in sloppy non-standard pages that display in JE> less than average of the browsers. And, so what? It made the Internet usable for millions of users. And, for the record, I think that's a Good Thing(tm). I'm again that elitism that would have prevented my mother, aged 71, to be able to learn sending emails and surfing the Net three years ago when she retired. She will never understand that there's a difference between a Web browser and a Mail client, that's completely blurred to her, it's all `that Internet thingy' -- but so what? Who cares, as long as she can communicate with her relatives? JE> Especially when it comes to JE> security, e.g. firewalls, it's better to turn the RFC quote: JE> Be conservative in what you accept and be JE> liberal in what you do. JE> [http://jengelh.hopto.org/p/jen_ipfw/TECH.txt] I have worked for more than 10 years as CEO of a security consulting company, I work on the Internet since 1992 and have been a member of several IETF working groups, and I have planned the connection of whole countries to the Internet. From my experience, I can only say: To use that sentence in the context of firewalls is not sensible, and seems to be made tongue-in-cheek without thinking it through. Be liberal in what you do? E.g., allowing broken IP packets to leave one's network? E.g., with spoofed source IP addresses? E.g., allowing outgoing IRC packets for all systems? Or any other outgoing connections that does not conform to business and usage rules? Like, you know, those connections that enables bot networks in the first place because it allows them to be controlled from the outside. If more institutions, people, and operating systems default installations would implement egress filtering, we would have much less security problems in the first place. And you tell me that my attitude brings us bad HTML pages? Your attitude helps to build bot networks and hackers. You can guess yourself what I think is worse. Joachim PS: Please reply to the list. I don't consider this a private discussion. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org