[ynbl_]

a waf doesnt stop 99%. updating software does that. wafs are bad. stop using them.

imagine a blog with a comments section with a check box that says "bypass security check". if you click this, the admin scolds you saying "how dare you try and bypass security" and bans you. if you _dont_ click it, the admin laughs at you when you complain about too many captchas because "all you had to do was click the check box", idiot. either case can happen depending on which ideology the admin so happens to follow. thats the problem with wafs, they are ideological and opinion based but at the protocol level (but most wafs are such low quality that accidentally typing ' can get your ip banned).

[quesera]

WAFs can be used poorly, but zero of my experience with them aligns with your complaints.

If "WAF" bothers you, call it ingress/egress filtering (at the content level instead of packet level) instead.

[ynbl_]

but its not comparable to egress filtering _at all_

[quesera]

OK, sure. The WAF does ingress filtering though. It's useful, and ingress filtering is what we were talking about.

In my architecture, the same services also perform egress filtering. It's also useful, but not the WAF or the topic of conversation.

I think people get upset about the term "WAF". It's just a new label for the longstanding practice of upper-layer ingress filtering (i.e. DPI and reverse-proxy filtering). But it's often a dedicated service now, so it needs a name of some kind.

A poorly-configured WAF breaks things, just like a poorly-configured (any other network service).