On 07.05.2015 08:30, Scott Weeks wrote:

--- rsk@gsp.org wrote: From: Rich Kulawiec <rsk@gsp.org>

The first rule in every firewall is of course "deny all" and subsequent rulesets permit only the traffic that is necessary. ------------------------------------

I think you got this backward? That way all traffic is blocked, so none is allowed through. Also, deny by default at the end of the rule set is not the best thing for every network that needs a firewall. Some just want to block bad stuff they see and allow everything else. (And some have stated here that they will block entire countries until their culture changes!)

--- aj@jonesy.com.au wrote: From: Andrew Jones <aj@jonesy.com.au> It depends on the software used and implementation. Many rulesets for pf on BSD start with 'block in on interfaceX' for instance, because it uses a "last match wins" system, unless you use the 'quick' keyword to make rule processing stop if that rule matches. ----------------------------------------- I was assuming stop looking on first match. So, "deny ip any any" blocks everything at the very beginning. scott