Re: firewall conceptual question

To: debian-firewall@lists.debian.org
Subject: Re: firewall conceptual question
From: Søren Hansen <sh@freesite.dk>
Date: Mon, 23 Jul 2001 11:40:06 +0200
Message-id: <[🔎] 20010723114006.A20213@garfield.freesite.dk>
In-reply-to: <[🔎] 20010722133311.A22904@uiuc.edu>; from garman@uiuc.edu on Sun, Jul 22, 2001 at 01:33:11PM -0500
References: <[🔎] 20010722133311.A22904@uiuc.edu>

On Sun, Jul 22, 2001 at 01:33:11PM -0500, Matthew Garman wrote:
> This makes sense to me, but in a lot of example firewalls I've seen
> floating around the 'net, they have explicit DROP rules (in addition to
> setting the default policy to DROP).  This seems redundant to me---if you
> DROP everything by default, why would you need to explicity set even more
> DROP rules?

This is useful if you by for instance only want to ACCEPT everything from a specific subnet EXCEPT a single host. You would then insert a DROP condition for that single host followed by an ACCEPT for the subnet. No redundancy and maximum readability.

-- 
Salu2, Søren.

Reply to:

References:
- firewall conceptual question
  - From: Matthew Garman <garman@uiuc.edu>

Prev by Date: RE: can't ping local 'net, even with no firewall
Next by Date: Re: IP Protocol 57
Previous by thread: Re: firewall conceptual question
Next by thread: can't ping local 'net, even with no firewall
Index(es):
- Date
- Thread