Ah...got it, this was sloppy phrasing on my part. I meant "first"
in the sense of "first rule that one should write". Depending on
the firewall type/implementation, that might be the rule that's
lexically first or last (or maybe somewhere else).
---rsk
On 07.05.2015 08:30, Scott Weeks wrote:
> --- r...@gsp.org wrote:
> From: Rich Kulawiec
>
> The first rule in every firewall is of course
> "deny all" and subsequent rulesets permit only
> the traffic that is necessary.
>
>
>
> I think you got this backward?
From: Rich Kulawiec
On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote:
> From: Rich Kulawiec
>
> The first rule in every firewall is of course
> "deny all" and subsequent rulesets permit only
> the traffic that is necessary.
>
>
> I think you
It depends on the software used and implementation.
Many rulesets for pf on BSD start with 'block in on interfaceX' for
instance, because it uses a "last match wins" system, unless you use the
'quick' keyword to make rule processing stop if that rule matches.
Andrew
On 07.05.2015 08:30, Scott
On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote:
> --- r...@gsp.org wrote:
> From: Rich Kulawiec
>
> The first rule in every firewall is of course
> "deny all" and subsequent rulesets permit only
> the traffic that is necessary.
>
>
> I think
--- r...@gsp.org wrote:
From: Rich Kulawiec
The first rule in every firewall is of course
"deny all" and subsequent rulesets permit only
the traffic that is necessary.
I think you got this backward? That way all
traffic is blocked, so none is allowed
this is really a form of: "A subnet should contain all things of a
like purpose/use."
that way you don't have to compromise and say: "Well... tcp/443 is OK
for ABC units but deadly for XYZ ones! block to the 6 of 12 XYZ and
permit to all ABC... wait, can you bounce off an ABC and still kill an
XYZ
Consider setting up a separate zone or zones (via VLAN) for devices
with embedded TCP/IP stacks. I have worked in several shops using
switched power units from APC, SynAccess, and TrippLite, and find that
the TCP/IP stacks in those units are a bit fragile when confronted
with a lot of traffic,
On 5/5/2015 4:34 PM, Mark Andrews wrote:
In message <20150505113445.gb24...@gsp.org>, Rich Kulawiec writes:
I break them up by function and (when necessary) by the topology
enforced by geography. The first rule in every firewall is of
course "deny all" and subsequent rulesets permit only the
In message <20150505113445.gb24...@gsp.org>, Rich Kulawiec writes:
> On Mon, May 04, 2015 at 07:55:43PM -0700, nan...@roadrunner.com wrote:
> > Possibly a bit off-topic, but curious how all of you out there segment
> > your networks. [snip]
>
> I break them up by function and (when necessary) by
I'd certainly forget anything with "service provider" in the name.
Different problem, different architecture.
Last time I built this, I built a core network (WAN links, routers, etc)
that enforced anti-spoofing rules, so I knew if I saw an "internal" IP
address (either public assigned to me or RFC
It is called the Purdue Enterprise Reference Architecture ...
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
> nan...@roadrunner.com
> Sent: Monday, 4 May, 2015 20:56
> To: nanog@nanog.org
> Subject: Network Segmentation Approaches
>
> Possibly a bit off-
On 05/04/2015 07:55 PM, nan...@roadrunner.com wrote:
Possibly a bit off-topic, but curious how all of you out there segment
your networks. Corporate/business users, dependent services, etc. from
critical data and/or processes with remote locations thrown in the mix
which could be mini-versions o
On Mon, May 4, 2015 at 9:55 PM, wrote:
> There's quite a bit of literature out there on this, so have been
> considering an approach with zones based on the types of data or
> processes within them. General thoughts:
It depends on the users and tasks on the network.. Different
segmentation st
On Mon, May 04, 2015 at 07:55:43PM -0700, nan...@roadrunner.com wrote:
> Possibly a bit off-topic, but curious how all of you out there segment
> your networks. [snip]
I break them up by function and (when necessary) by the topology
enforced by geography. The first rule in every firewall is of
c
15 matches
Mail list logo
