2007-06-07
Why I hate firewalls, especially stateful firewalls
I hate firewalls because every firewall between two machines trying to talk to each other is another place for things to go wrong, which means another place to check (somehow) when things do go wrong.
Stateless firewalls at least have the grace to have consistent and predictable behavior; if something is wrong, it is going to be wrong all the time. Stateful firewalls make your life exciting by varying their behavior based on an ever-changing flux of generally unpredictable and inaccessible information, so things can go wrong now and right in ten minutes from now or vice versa.
As alluded to, figuring out which firewall ate your packets is not a trivial exercise. The downside of transparency is invisibility, and even with a stateless routing firewall the tools required to probe its behavior from the outside are quite technical and not necessarily complete. And that's the best case.
(Even on the inside, the tools are technical. You are doing well if your own firewalls tell you about the packets that they drop, reject, or modify.)