|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: nanog@nanog.org Date: Tue, 05 May 2015 16:58:19 -0700 From: Gene LeDuc <gleduc@mail.sdsu.edu> To: Mark Andrews <marka@isc.org>, Rich Kulawiec <rsk@gsp.org> In-Reply-To: <20150505233447.0AF4E2DCCA80@rock.dv.isc.org> Cc: nanog@nanog.org Errors-To: nanog-bounces@nanog.org On 5/5/2015 4:34 PM, Mark Andrews wrote: > In message <20150505113445.GB24399@gsp.org>, Rich Kulawiec writes: >> I break them up by function and (when necessary) by the topology >> enforced by geography. The first rule in every firewall is of >> course "deny all" and subsequent rulesets permit only the traffic >> that is necessary. > > Deny all really isn't needed with modern machines but that is a matter of > policy. The firewalls I've worked with don't log denies if they are due to an implicit deny-all at the end of the policy. I always put one in at the end to make sure that the attempt is logged. Gene
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |