Choosing a Default Packet-Filtering Policy
As stated earlier in this chapter, a firewall is a device to implement an access control policy. A large part of this policy is the decision on a default firewall policy.
There are two basic approaches to a default firewall policy:
Deny everything by default, and explicitly allow selected packets through.
Accept everything by default, and explicitly deny selected packets from passing through.
Without question, the deny-everything policy is the recommended approach. This approach makes it easier to set up a secure firewall, but each service and related protocol transaction that you want must be enabled explicitly (see Figure 2.3). This means that you must understand the communication protocol for each ...
Get Linux Firewalls, Third Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
