Network Segmentation Approaches

Scott Weeks surfer at
Thu May 7 00:58:31 UTC 2015

From: Rich Kulawiec <rsk at>
On Wed, May 06, 2015 at 03:30:01PM -0700, Scott Weeks wrote:
> From: Rich Kulawiec <rsk at>
> The first rule in every firewall is of course 
> "deny all" and subsequent rulesets permit only 
> the traffic that is necessary.  
> ------------------------------------
> I think you got this backward?  That way all 
> traffic is blocked, so none is allowed through.  

Nope, I said exactly what I intended (and what I do, 
in practice).  Doing so forces one to understand in 
detail what traffic actually needs to pass in/out 
and to craft specific rules for it.  This in turn 
helps avoid making mistake #1:

	The Six Dumbest Ideas in Computer Security

After reading your emails all these years, I figured 
you meant it the way you wrote it.  When you wrote
"...subsequent rulesets permit only the traffic that 
is necessary" I misunderstood and thought you meant 
rules put in after the default deny, which are useless. 
But by subsequent rulesets you meant rule sets put in 
later in time and above the deny all not after the deny 
all.  Small confusion over wording...  :-)


More information about the NANOG mailing list