Re: firewall conceptual question
On Sun, Jul 22, 2001 at 01:33:11PM -0500, Matthew Garman wrote:
> This makes sense to me, but in a lot of example firewalls I've seen
> floating around the 'net, they have explicit DROP rules (in addition to
> setting the default policy to DROP). This seems redundant to me---if you
> DROP everything by default, why would you need to explicity set even more
> DROP rules?
This is useful if you by for instance only want to ACCEPT everything from a specific subnet EXCEPT a single host. You would then insert a DROP condition for that single host followed by an ACCEPT for the subnet. No redundancy and maximum readability.
--
Salu2, Søren.
Reply to: