[quesera]

WAFs can be used poorly, but zero of my experience with them aligns with your complaints.

If "WAF" bothers you, call it ingress/egress filtering (at the content level instead of packet level) instead.

[ynbl_]

but its not comparable to egress filtering _at all_

[quesera]

OK, sure. The WAF does ingress filtering though. It's useful, and ingress filtering is what we were talking about.

In my architecture, the same services also perform egress filtering. It's also useful, but not the WAF or the topic of conversation.

I think people get upset about the term "WAF". It's just a new label for the longstanding practice of upper-layer ingress filtering (i.e. DPI and reverse-proxy filtering). But it's often a dedicated service now, so it needs a name of some kind.

A poorly-configured WAF breaks things, just like a poorly-configured (any other network service).