[179768] in North American Network Operators' Group
Re: Network Segmentation Approaches
daemon@ATHENA.MIT.EDU (Scott Weeks)
Wed May 6 21:05:58 2015
X-Original-To: nanog@nanog.org
Date: Wed, 6 May 2015 18:02:49 -0700
From: "Scott Weeks" <surfer@mauigateway.com>
To: <nanog@nanog.org>
Reply-To: surfer@mauigateway.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 07.05.2015 08:30, Scott Weeks wrote:
> --- rsk@gsp.org wrote:
> From: Rich Kulawiec <rsk@gsp.org>
>
> The first rule in every firewall is of course
> "deny all" and subsequent rulesets permit only
> the traffic that is necessary.
> ------------------------------------
>
>
> I think you got this backward? That way all
> traffic is blocked, so none is allowed through.
> Also, deny by default at the end of the rule
> set is not the best thing for every network
> that needs a firewall. Some just want to block
> bad stuff they see and allow everything else.
> (And some have stated here that they will block
> entire countries until their culture changes!)
---------------------------------------
--- aj@jonesy.com.au wrote:
From: Andrew Jones <aj@jonesy.com.au>
It depends on the software used and implementation.
Many rulesets for pf on BSD start with 'block in on
interfaceX' for instance, because it uses a "last
match wins" system, unless you use the 'quick'
keyword to make rule processing stop if that rule
matches.
-----------------------------------------
I was assuming stop looking on first match. So,
"deny ip any any" blocks everything at the very
beginning.
scott
