On 5/5/2015 4:34 PM, Mark Andrews wrote:
In message <20150505113445.gb24...@gsp.org>, Rich Kulawiec writes:
I break them up by function and (when necessary) by the topology
enforced by geography. The first rule in every firewall is of
course "deny all" and subsequent rulesets permit only the traffic
that is necessary.
Deny all really isn't needed with modern machines but that is a matter of
policy.
The firewalls I've worked with don't log denies if they are due to an
implicit deny-all at the end of the policy. I always put one in at the
end to make sure that the attempt is logged.
Gene
