[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Network Segmentation Approaches

Subject: Network Segmentation Approaches
From: aj at jonesy.com.au (Andrew Jones)
Date: Thu, 07 May 2015 09:08:38 +1000
In-reply-to: <[email protected]>
References: <[email protected]>

It depends on the software used and implementation.
Many rulesets for pf on BSD start with 'block in on interfaceX' for 
instance, because it uses a "last match wins" system, unless you use the 
'quick' keyword to make rule processing stop if that rule matches.

Andrew

On 07.05.2015 08:30, Scott Weeks wrote:
> --- rsk at gsp.org wrote:
> From: Rich Kulawiec <rsk at gsp.org>
>
> The first rule in every firewall is of course
> "deny all" and subsequent rulesets permit only
> the traffic that is necessary.
> ------------------------------------
>
>
> I think you got this backward?  That way all
> traffic is blocked, so none is allowed through.
> Also, deny by default at the end of the rule
> set is not the best thing for every network
> that needs a firewall.  Some just want to block
> bad stuff they see and allow everything else.
> (And some have stated here that they will block
> entire countries until their culture changes!)
>
> scott

References:
- Network Segmentation Approaches
  - From: surfer at mauigateway.com (Scott Weeks)

Prev by Date: Network Segmentation Approaches
Next by Date: Alcatel-Lucent 7750 Service Router (SR)
Previous by thread: Network Segmentation Approaches
Next by thread: Network Segmentation Approaches
Index(es):
- Date
- Thread