[geeks] IPFilter experts?
Greg A. Woods
woods at weird.com
Mon Nov 11 11:10:30 CST 2002
[ On Monday, November 11, 2002 at 11:13:43 (-0500), Kurt Huhn wrote: ]
> Subject: Re: [geeks] IPFilter experts?
>
> I'm far from an ipfilter wizard, but good firewall ruleset design goes
> something like this:
> - allow specific ports/services to specific systems inbound
> - allow specific ports/services to specific systems outbound
> - deny everything else from everything to everthing
No, that's not a "good firewall design". That's an anal-retentive
nutcase firewall. Some networks really do need that kind of setup, but
most don't. It's by far the most difficult configuration to use, debug,
and maintain. You really do have to be a major TCP/IP expert to really
make it work in all situations (unless you're only protecting one or two
very simple TCP services and you don't have random client hosts on the
inside).
A "good firewall design" matches the requirements of the network it is
protecting. No more, and no less.
--
Greg A. Woods
+1 416 218-0098; <g.a.woods at ieee.org>; <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>
More information about the geeks
mailing list