Funny that you mentioned that. Right after I dropped the post to the group i realized that I was thinking backwards like you said. As it turns out, I only needed to permit 3 addresses and then I was done...easy. Guess I was over-analyzing, oh well =o) Mark Z. In a message dated 2/1/01 7:34:12 PM Eastern Standard Time, [EMAIL PROTECTED] writes: > IMHO, you're looking at it from the wrong side: > > - What services or applications do your users (internal and external) > require? > > - What ports and addresses/prefixes do you need to let *pass* for the > services and applications listed at the previous step to work? > > - Block everything else. Use an explicite deny at the end if you have a > syslog server, so you can log the probes, misconfigured or damaged > systems, etc. Otherwise, you can rely on the implicite deny all at the > end. > _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]