On 07.05.2015 08:30, Scott Weeks wrote: > --- [email protected] wrote: > From: Rich Kulawiec <[email protected]> > > The first rule in every firewall is of course > "deny all" and subsequent rulesets permit only > the traffic that is necessary. > ------------------------------------ > > > I think you got this backward? That way all > traffic is blocked, so none is allowed through. > Also, deny by default at the end of the rule > set is not the best thing for every network > that needs a firewall. Some just want to block > bad stuff they see and allow everything else. > (And some have stated here that they will block > entire countries until their culture changes!) ---------------------------------------
--- [email protected] wrote: From: Andrew Jones <[email protected]> It depends on the software used and implementation. Many rulesets for pf on BSD start with 'block in on interfaceX' for instance, because it uses a "last match wins" system, unless you use the 'quick' keyword to make rule processing stop if that rule matches. ----------------------------------------- I was assuming stop looking on first match. So, "deny ip any any" blocks everything at the very beginning. scott
