Re: Network Segmentation Approaches
--- rsk@gsp.org wrote: From: Rich Kulawiec <rsk@gsp.org> The first rule in every firewall is of course "deny all" and subsequent rulesets permit only the traffic that is necessary. ------------------------------------ I think you got this backward? That way all traffic is blocked, so none is allowed through. Also, deny by default at the end of the rule set is not the best thing for every network that needs a firewall. Some just want to block bad stuff they see and allow everything else. (And some have stated here that they will block entire countries until their culture changes!) scott
On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote:
--- rsk@gsp.org wrote: From: Rich Kulawiec <rsk@gsp.org>
The first rule in every firewall is of course "deny all" and subsequent rulesets permit only the traffic that is necessary. ------------------------------------
I think you got this backward? That way all traffic is blocked, so none is allowed through.
Nope, I said exactly what I intended (and what I do, in practice). Doing so forces one to understand in detail what traffic actually needs to pass in/out and to craft specific rules for it. This in turn helps avoid making mistake #1: The Six Dumbest Ideas in Computer Security http://www.ranum.com/security/computer_security/editorials/dumb/ ---rsk
It depends on the software used and implementation. Many rulesets for pf on BSD start with 'block in on interfaceX' for instance, because it uses a "last match wins" system, unless you use the 'quick' keyword to make rule processing stop if that rule matches. Andrew On 07.05.2015 08:30, Scott Weeks wrote:
--- rsk@gsp.org wrote: From: Rich Kulawiec <rsk@gsp.org>
The first rule in every firewall is of course "deny all" and subsequent rulesets permit only the traffic that is necessary. ------------------------------------
I think you got this backward? That way all traffic is blocked, so none is allowed through. Also, deny by default at the end of the rule set is not the best thing for every network that needs a firewall. Some just want to block bad stuff they see and allow everything else. (And some have stated here that they will block entire countries until their culture changes!)
scott
participants (3)
-
Andrew Jones -
Rich Kulawiec -
Scott Weeks