Network Segmentation Approaches

Gene LeDuc gleduc at
Tue May 5 23:58:19 UTC 2015

On 5/5/2015 4:34 PM, Mark Andrews wrote:
> In message <20150505113445.GB24399 at>, Rich Kulawiec writes:
>> I break them up by function and (when necessary) by the topology
>> enforced by geography.  The first rule in every firewall is of
>> course "deny all" and subsequent rulesets permit only the traffic
>> that is necessary.
> Deny all really isn't needed with modern machines but that is a matter of
> policy.

The firewalls I've worked with don't log denies if they are due to an 
implicit deny-all at the end of the policy.  I always put one in at the 
end to make sure that the attempt is logged.


More information about the NANOG mailing list