On 07.05.2015 08:30, Scott Weeks wrote: > --- r...@gsp.org wrote: > From: Rich Kulawiec <r...@gsp.org> > > The first rule in every firewall is of course > "deny all" and subsequent rulesets permit only > the traffic that is necessary. > ------------------------------------ > > > I think you got this backward? That way all > traffic is blocked, so none is allowed through. > Also, deny by default at the end of the rule > set is not the best thing for every network > that needs a firewall. Some just want to block > bad stuff they see and allow everything else. > (And some have stated here that they will block > entire countries until their culture changes!) ---------------------------------------
--- a...@jonesy.com.au wrote: From: Andrew Jones <a...@jonesy.com.au> It depends on the software used and implementation. Many rulesets for pf on BSD start with 'block in on interfaceX' for instance, because it uses a "last match wins" system, unless you use the 'quick' keyword to make rule processing stop if that rule matches. ----------------------------------------- I was assuming stop looking on first match. So, "deny ip any any" blocks everything at the very beginning. scott