5 May
2015
5 May
'15
7:58 p.m.
On 5/5/2015 4:34 PM, Mark Andrews wrote:
In message <20150505113445.GB24399@gsp.org>, Rich Kulawiec writes:
I break them up by function and (when necessary) by the topology enforced by geography. The first rule in every firewall is of course "deny all" and subsequent rulesets permit only the traffic that is necessary.
Deny all really isn't needed with modern machines but that is a matter of policy.
The firewalls I've worked with don't log denies if they are due to an implicit deny-all at the end of the policy. I always put one in at the end to make sure that the attempt is logged. Gene