On Wed, 19 May 2010, J.Witvliet@xxxxxxxxx wrote:
> Hi Jerry,
>
> Just a general remark.
> When deploying a firewall, it is advisable to have (atleast for input, better for all) to have the general policy set to drop, and only allow in what you expect to be coming in. If you put a "-j log" line as a final line for each section, you'll see every packet you forgot about...
>
> Now the default is "allow", and only doing some SNAT and DNAT rules...
>
> hw
And as a follow up remark, it would be advisable to have a network policy
in place that will help to define your rules. For example within a
university environment like mine, we allow everything in by default except
those services for which we want to explicitly block. Those that we want
to explicitly block are documented and we run tests to ensure that our
firewall is working as expected on a regular basis.
Define your "business rules" first and make your firewall rules follow
suit.
--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
HPC Coordinator
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpeltier@xxxxxx
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
http://blogs.sfu.ca/people/jpeltier
MSN : subatomic_spam@xxxxxxxxxxx
TEAMWORK
There's power in numbers. Learn to work together.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
