On Fri, 2003-12-05 at 13:09, Antony Stone wrote: > On Friday 05 December 2003 5:40 pm, Daniel Chemko wrote: > > > Best practices: > > > > WE ARE ALL HUMAN (I hope) > > > > If you are looking for the best case, you'd want to cover your own > > incompetence. Honestly, I work from this rule. > > I policy block everything that I haven't allowed explicitly, simply > > becausd if you try to build it in reverse, you're almost guaranteed to > > miss a lot of important blocks / etc.. > > I agree. > > Think of it like this: > > If you block everything, allow what you want, and forget something, then > either you or someone you're providing services for will say "this isn't > working - can you fix it please?" and you can correct the ruleset to allow > the missing service. > > On the other hand, if you allow everything, and block the things you don't > want, then anything you forget about is more likely to be discovered by > somebody else on the Internet scanning and probing their way round your IP > address/es, and if they find something you forgot to block, chances are they > won't tell you :) > > Therefore correcting mistakes is a whole lot easier if you start from the > "deny everything except these..." approach. > > Antony. Any good firewall implementation should implicitly deny everything on the INPUT and FORWARD chains. If anyone tells you different they must work for Microsoft. Ted
