In article <006e01bf5558$eb958170$0101a8c0@enzo> you wrote:
> 3) Output rules are perfomance waste in the most of the cases...
Depends...
on a firewall I use output rules for:
a) denying access from the firewall to the local network. That way I prevent
runaway daemons to access internal services (for example access my internal
dns server)
b) deny packets with wrong sender address... this is important to avoid
packets to escape your network if some routing on the firewall is broken.
c) i deny in the output rule some obvious disallowed access on the given
interface (for example all ports except the www port on my web server dmz),
just to be sure that if i have some broken rules, that my basic asumptions
are still valid
of course i agree with you that b) and c) are only failsafe measurements and
might not justify the additional packet-filtering overhead.
Greetings
Bernd
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
