Network Segmentation Approaches

Scott Weeks surfer at
Thu May 7 01:02:49 UTC 2015

On 07.05.2015 08:30, Scott Weeks wrote:
> --- rsk at wrote:
> From: Rich Kulawiec <rsk at>
> The first rule in every firewall is of course
> "deny all" and subsequent rulesets permit only
> the traffic that is necessary.
> ------------------------------------
> I think you got this backward?  That way all
> traffic is blocked, so none is allowed through.
> Also, deny by default at the end of the rule
> set is not the best thing for every network
> that needs a firewall.  Some just want to block
> bad stuff they see and allow everything else.
> (And some have stated here that they will block
> entire countries until their culture changes!)

--- aj at wrote:
From: Andrew Jones <aj at>

It depends on the software used and implementation.
Many rulesets for pf on BSD start with 'block in on 
interfaceX' for instance, because it uses a "last 
match wins" system, unless you use the 'quick' 
keyword to make rule processing stop if that rule

I was assuming stop looking on first match.  So, 
"deny ip any any" blocks everything at the very 


More information about the NANOG mailing list