Re: setup firewall with 3 nic cards

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, 19 May 2010, J.Witvliet@xxxxxxxxx wrote:

> Hi Jerry,
>
> Just a general remark.
> When deploying a firewall, it is advisable to have (atleast for input, better for all) to have the general policy set to drop, and only allow in what you expect to be coming in. If you put a "-j log" line as a final line for each section, you'll see every packet you forgot about...
>
> Now the default is "allow", and only doing some SNAT and DNAT rules...
>
> hw

And as a follow up remark, it would be advisable to have a network policy 
in place that will help to define your rules.  For example within a 
university environment like mine, we allow everything in by default except 
those services for which we want to explicitly block.  Those that we want 
to explicitly block are documented and we run tests to ensure that our 
firewall is working as expected on a regular basis.

Define your "business rules" first and make your firewall rules follow 
suit.

-- 
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
HPC Coordinator
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : jpeltier@xxxxxx
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
           http://blogs.sfu.ca/people/jpeltier
MSN     : subatomic_spam@xxxxxxxxxxx

TEAMWORK
  There's power in numbers.  Learn to work together.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux