[geeks] IPFilter experts?
Kurt Huhn
kurt at k-huhn.com
Mon Nov 11 13:49:59 CST 2002
woods at weird.com (Greg A. Woods) wrote:
> [ On Monday, November 11, 2002 at 11:13:43 (-0500), Kurt Huhn wrote: ]
> > Subject: Re: [geeks] IPFilter experts?
> >
> > I'm far from an ipfilter wizard, but good firewall ruleset design goes
> > something like this:
> > - allow specific ports/services to specific systems inbound
> > - allow specific ports/services to specific systems outbound
> > - deny everything else from everything to everthing
>
> No, that's not a "good firewall design". That's an anal-retentive
> nutcase firewall. Some networks really do need that kind of setup, but
> most don't. It's by far the most difficult configuration to use, debug,
Well, that's true - some networks don't need a ruleset so restrictive. And
me, being somewhat anal when it comes to the security of my networks, I
prefer this type of setup. It's not difficult to debug and maintain at all
- as long as you know what you're doing and have a basic grasp of network
security and network protocols, as well as logical thought. Being a
Security Geek, among other things, I err on the side of caution - because
few things are more important than the security of my networks.
> A "good firewall design" matches the requirements of the network it is
> protecting. No more, and no less.
>
And mine always do, I endeavor to always to make my networks as secure as
possible given the tools and resources available to me.
--
Kurt
kurt at k-huhn.com
More information about the geeks
mailing list