On Sat, 2005-08-27 at 12:41 -0400, ericscher@mac.com wrote:
However, Access Control Lists are not firewalls.
Yes, we use them as firewalls, but that's not what
they are.
ACL's ARE TRAFFIC SHAPING DEVICES.
ACL identify what traffic you are dealing with.
what to do with/on that traffic always depends.
you can re-route, shape, filter, crypt, nat and so on
[snip]
ACL's analyze traffic from top to bottom, so
keep your most specific entries at the top,
with more general entries near the bottom;
ok, but ...
and do your "permits" before your "denys".
this is not always true.
in a nat scenario you may want to crypt all the traffic, exept the one
that will be send in your entreprise vpn. you first need to deny the
specific traffic of your "private" networks, then allow the remaining..
in a filtering scenario of a bastion router you first refuse
private/reserved addresses from outside, than you allow any to your http
port....
This subject REALLY calls for a book, not
an e-mail response. I've said very little
in this post and look at all the room
it took up.
it's true, so please, do not generalize in this way ...
a still working mayhem :(
--
"And the Germans killed the Jews, And the Jews killed the Arabs,
And the Arabs killed the hostages, And that is the news" RW
https://www.recursiva.org - Key on pgp.mit.edu ID B88FE057
signature.asc
Description: This is a digitally signed message part
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
