In September 2020, Matthias Luft wrote an introductory article describing host-based firewalls (traffic filtering functionality deployed on end-hosts). His article triggered numerous questions including:
- Why don’t we have dynamic firewall policies where the end-hosts could specify which TCP/UDP ports they need?
- Can we use traffic flow analysis to reverse-engineer firewall rules?
- Is there any chance of fixing this problem?
Networking vendors love promoting novel overly complex technologies instead of solving their customers' challenges with good network design. High-availability switching (the ability to continue packet forwarding during a control plane failure) is no exception.