[geeks] IPFilter experts?
Shawn Wallbridge
shawn at synack-hosting.com
Mon Nov 11 14:44:42 CST 2002
On Mon, 2002-11-11 at 11:10, Greg A. Woods wrote:
> [ On Monday, November 11, 2002 at 11:13:43 (-0500), Kurt Huhn wrote: ]
> > Subject: Re: [geeks] IPFilter experts?
> >
> > I'm far from an ipfilter wizard, but good firewall ruleset design goes
> > something like this:
> > - allow specific ports/services to specific systems inbound
> > - allow specific ports/services to specific systems outbound
> > - deny everything else from everything to everthing
>
> No, that's not a "good firewall design". That's an anal-retentive
> nutcase firewall. Some networks really do need that kind of setup, but
> most don't. It's by far the most difficult configuration to use, debug,
> and maintain. You really do have to be a major TCP/IP expert to really
> make it work in all situations (unless you're only protecting one or two
> very simple TCP services and you don't have random client hosts on the
> inside).
>
> A "good firewall design" matches the requirements of the network it is
> protecting. No more, and no less.
>
> --
> Greg A. Woods
>
> +1 416 218-0098; <g.a.woods at ieee.org>; <woods at robohack.ca>
> Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>
> _______________________________________________
> GEEKS: http://www.sunhelp.org/mailman/listinfo/geeks
Other than specifying the outgoing packets, I don't see why it's so bad.
Normally i do pretty much the same thing.
Would you care to explain what part of his rules are wrong and why?
shawn
More information about the geeks
mailing list