> I build mine very similar to you, with one exception. Any > traffic from the inside net that the firewall is supposed to > block, I'm REJECTing. That way internal devices don't 'hang' > waiting for a timeout. Everything coming in from the outside > still gets DROPPED though. But I do prefer to send a RST to > hosts on the inside. I guess the trade-off here is ease-of-use (faster timeouts) vs higher security. It would be a lot easier for an internal attacker to port-scan the DMZ network space to figure out the firewall rules with your suggestion. Stefan _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 05:38:44 PDT