On Sun, 2002-10-13 at 12:52, Stefan Norberg wrote: > I tend to build firewall rulebases that does the following (don't know > if this is common practice/knowledge out there): > > 1) Accept rules for traffic to the firewall device itself go first (such > as ssh, fw-gui). > 2) Explicit drop for all other traffic to the firewall device. > 3) General accept rules (ordered by system - high volume stuff first). > 4) Silent drop of some stuff that just fills up the logs and add litte > value, such as udp/137. Drop certain internal ip's that scans the > internal network all the time. And so on. > 5) Drop and log everything else. > > In general you don't want to use block/reject, since it sends out a TCP > RST (for TCP) or ICMP port unreach for UDP. An example where you would > you block/reject is to avoid timeouts for valid traffic such as identd. Stefan, I build mine very similar to you, with one exception. Any traffic from the inside net that the firewall is supposed to block, I'm REJECTing. That way internal devices don't 'hang' waiting for a timeout. Everything coming in from the outside still gets DROPPED though. But I do prefer to send a RST to hosts on the inside. Regards, Frank
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 19:46:47 PDT