[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <NMEAJDJMDLJLOIOCIKJJCECOGJAA.exibar@thelair.com>
Date: Sun Aug 28 18:23:16 2005
From: exibar at thelair.com (Exibar)
Subject: [inbox] RE: Example firewall script
Wasn't the original poster's question about FW rules and not ACL's?
If you had ONLY "Allow ANY ANY", why bother having the firewall in place at
all? You'll never be LESS secure from the nasties on the 'net than that...
well unless you're just running a base un-patche OS, etc...
If you had only "Deny ANY ANY", nothing would get in or out through that
firewall, so why wouldn't that be the "most secure" rule? Again, might as
well just unplug from the 'net completely, you'll never be more secure from
the nasties on the 'net than that.
I kinda assumed that people would realize that these are not practical
rules to have in place without other rules backing them up. I for one don't
believe you should EVER have an "Allow ANY ANY" rule, anywhere in your rule
list, "Deny ANY ANY" should be the last rule, IMHO.
heheh, I never meant to be the catalyst for such a huge battle between
people....
Exibar
> -----Original Message-----
> From: ericscher@....com [mailto:ericscher@....com]
> Sent: Saturday, August 27, 2005 12:42 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [inbox] [Full-disclosure] RE: Example firewall script
>
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> =================================
> ORIGINAL MESSAGE:
> -----------------
> Date: Sat, 27 Aug 2005
> From: "Exibar"
> Subject: Example firewall script
>
> >The absolute worse Firewal rule
> >you can have:
> >
> > Allow ANY ANY
> >
> >The best:
> >
> > Deny ANY ANY
> =================================
>
> REPLY:
> -------
>
> Actually, that's not true.
> I would agree that as a general rule of thumb
> you should have a deny statement at the end
> of every ACL. In fact, Cisco places an implicit
> DENY ANY ANY at the end of their ACL's
> automatically.
>
> However, Access Control Lists are not firewalls.
> Yes, we use them as firewalls, but that's not what
> they are.
>
> ACL's ARE TRAFFIC SHAPING DEVICES.
>
> As traffic shaping devices, they can be used for
> security, but they are also used for management
> purposes. For instance; many Autonomous Systems
> are multi-homed. There are decisions to be made
> about how traffic will flow in and out of the AS.
> You also have to decide if you wish to be a
> transit AS or not.
>
> ACLs are the tool that you use to control your
> traffic.
>
> While an ACL being used as a security device
> should have a deny statement at the end, proper
> construction of the ACL is more about following
> the proper construction rules.
>
> This is actually a huge subject, far too big
> for an individual e-mail to a list.
>
> But there are some basic rules to keep in mind:
>
> ACL's analyze traffic from top to bottom, so
> keep your most specific entries at the top,
> with more general entries near the bottom;
> and do your "permits" before your "denys".
> That means you deal with hosts first, then
> subnets, then networks, and at each level
> you have your permit statements before your
> deny statements. The reason for this is because
> once a packet matches a line, it's dealt with
> right then and there. You don't want to have
> a packet thrown away just before a line that
> would have permitted it.
>
> There are also issues of what KIND of ACL to
> use and where to place them; Inbound or Outbound.
>
> In terms of the original question, the only
> difference between a "good" line item or a
> "bad" line item is whether or not the syntax
> is correct.
>
> The only difference between a "good" ACL
> and a "bad" ACL is whether or not it's
> structure is properly designed and whether
> or not it's placed in the proper location.
>
>
> This subject REALLY calls for a book, not
> an e-mail response. I've said very little
> in this post and look at all the room
> it took up.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> --------------------------------------------------------------------
> mail2web - Check your email from the web at
> http://mail2web.com/ .
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
Powered by blists - more mailing lists