On Sat, 2005-08-27 at 12:41 -0400, ericscher@xxxxxxx wrote: > However, Access Control Lists are not firewalls. > Yes, we use them as firewalls, but that's not what > they are. > > ACL's ARE TRAFFIC SHAPING DEVICES. ACL identify what traffic you are dealing with. what to do with/on that traffic always depends. you can re-route, shape, filter, crypt, nat and so on [snip] > ACL's analyze traffic from top to bottom, so > keep your most specific entries at the top, > with more general entries near the bottom; ok, but ... > and do your "permits" before your "denys". this is not always true. in a nat scenario you may want to crypt all the traffic, exept the one that will be send in your entreprise vpn. you first need to deny the specific traffic of your "private" networks, then allow the remaining.. in a filtering scenario of a bastion router you first refuse private/reserved addresses from outside, than you allow any to your http port.... > This subject REALLY calls for a book, not > an e-mail response. I've said very little > in this post and look at all the room > it took up. it's true, so please, do not generalize in this way ... a still working mayhem :( -- "And the Germans killed the Jews, And the Jews killed the Arabs, And the Arabs killed the hostages, And that is the news" RW https://www.recursiva.org - Key on pgp.mit.edu ID B88FE057
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/