Hi,
I always thought that "Deny All" should be at the bottom of the ACL, and all the "allow" exceptions above it. However, I was reading this article - http://ift.tt/2k0k1u0 where the author is advising to "Deny All" First and Then Add Exceptions... (?!)
I always thought if the rules are processed from the top to the bottom, "Deny All" will block everything regardless to what's below it.
Wrong example:
- deny ip any host (exchange server ip)
- permit tcp any host (exchange server ip) eq 80
- permit tcp any host (exchange server ip) eq 443
Correct example:
- permit tcp any host (exchange server ip) eq 80
- permit tcp any host (exchange server ip) eq 443
- deny ip any host (exchange server ip)
According to the article: "You'll most likely want to have a "Deny All" rule as your first firewall rule. This is the most important of the rules and its placement is also crucial... Once you have your "Deny All" rule in place in position #1, you can start to add your allow rules below it to let specific traffic in and out of your network (assuming your firewall processes rules from top to bottom)."
Is this a mistake or I misunderstood something?
No comments:
Post a Comment