Re: Real life scenario - requirements (local addressing)

At Thu, 07 Aug 2003 14:25:18 +1000, Andrew White wrote:
> Keith Moore wrote:
> > it's far easier to filter global addresses than to filter local ones.
> *boggle*  Am I the only one that finds this claim nonsensical?

I wouldn't phrase it as Keith did, but I think that I end up in the
same place: it's easier to filter just global addresses than it is to
filter both global and local addresses, particularly when there are so
many inventive ways of combining different kinds of addresses to make
still more addresses (eg, 6to4 + rfc 1918).

Oh, you thought I -trusted- hosts with several thousand executable
programs on them running who knows what to get this stuff right?
Heck, I filter the NFS ports on boxes that have NFS disabled at
compile time.  Never trust any machine more complicated than a spoon.
