On Thu, 22 Mar 2012, Paul Graydon wrote:
Aloha,
I was tasked with clearing up some ambiguities in our firewalls. Nothing too
major, just some irritating stuff for the most part (commenting all the rules
etc), but I got to wondering:
Which is better practice, to have an explicit Deny / Deny at the end of an
access list, or leave it to the implicit one?
Explicit for a couple of reasons.
1. defaults change, and someone looking at the ruleset may not realize it.
2. it gives you a place to put counters or logging of denied traffic
3. it makes it clear that you are thinking in terms of "deny everything,
unless it's explicity allowed". Just the confirmation of the mindset can
be important when new people come on board.
David Lang
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
