[geeks] IPFilter experts?

Mike Meredith mike at blackhairy.demon.co.uk
Mon Nov 11 15:03:44 CST 2002


On Monday 11 November 2002 5:10 pm, Greg A. Woods wrote:
> [ On Monday, November 11, 2002 at 11:13:43 (-0500), Kurt Huhn wrote:
> ]
> >  - allow specific ports/services to specific systems inbound
> >  - allow specific ports/services to specific systems outbound

Well I'd drop the "specific systems" in allowing outbound services.

> >  - deny everything else from everything to everthing
>
> No, that's not a "good firewall design".  That's an anal-retentive
> nutcase firewall.  

Most firewall administrators are anal-retentive nutcases (and yes that 
includes me).

> It's by far the most difficult configuration to use,
> debug, and maintain.  You really do have to be a major TCP/IP expert
> to really make it work in all situations (unless you're only

Well I'm not a major TCP/IP expert and I'm running a very similar 
firewall (with the change noted above). I haven't been fired, told I'm 
an idiot (although I dare say I'm about to be), or lynched; in fact the 
only problems I've had with the firewall are to do with users not 
realising they might have to request odd-ball stuff.

I'm certainly curious to know what things I'm missing that means a major 
TCP/IP expert is needed. You certainly need to have a pretty good 
understanding of IP, and a basic understanding of routing but the 
difficulties tend to be more political than technical (at least in an 
academic environment)



More information about the geeks mailing list