2014-04-09 11:31 GMT+02:00 Stuart Henderson <[email protected]>: > > > Hmm.. It is often fairly quick to pick up rules which over-block (though > problems with jobs which only occur weekly or monthly can take a while to > track down, and also there are situations where you won't notice a > problem until all firewall states are flushed and all tables flushed > and reloaded). But it's a lot harder to pick up rules which are too open. >
Yeah, making "negative tests" isn't something people immediately think of when building a system, to test that "make sure the open-on-the-inside-port isn't reachable from the wrong end of the inside FW" so that you later on can catch when the ruleset accidentally allows it a month later. -- May the most significant bit of your life be positive.
