Since
it is only four hosts you might want to consider setting up your rulebase
as follows:
SRC GROUP(4
HOSTS) DST(ALL SYSTEMS AND DESTINATIONS YOU DO NEVER WANT
TO BE ACCESED BY THIS
GROUP) SERVICE(ANY) ACTION(DENY)
SRC GROUP(4
HOSTS) DST(ANY) SERVICE(PUT
TOGETHER A PORTLIST OF KNOWN TROJANS, IRC, ... AND STUFF LIKE
THAT) ACTION(DENY)
SRC GROUP(4
HOSTS) DST(YOUR 900 HOSTS OR EVEN
ANY) SERVICE(ANY) ACTION(ALLOW)
Maybe you want to
_hide_ the real IPs of your 400 hosts with
NAT.
Don't forget;
--it is a proposal only. I do not know what security risks it might cause
you. HostingDinosaurs and Carriers tend to simple rulebases because of
beeing fast and flexible. Banks and military institutions
can't.
--Joerg
-----Urspr�ngliche Nachricht-----
Von: Connell Margo A. (DBM1MAC) [mailto:[EMAIL PROTECTED]]
Gesendet: Mittwoch, 29. Januar 2003 20:57
An: [EMAIL PROTECTED]
Betreff: [FW-1] Suggestions for creating a manageable firewall policyI have been tasked with creating a firewall policy with the following requirements:There are approximately 4 source addresses which require connectivity to approx 900 destinations utilizing many different ports. What would be the "best" way to create this rulebase? I would like to keep it as simple and manageable as possible.Any suggestions would be greatly appreciated.Margo A. Connell
Global Network Systems
Planning & Design
