-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/05/11 23:05, phocean wrote:
> Also, if you filter (and you should) both inbound and outbound traffic,
> how do you allow legitimate responses to the server?
I think Roland said earlier that outbound connections from these boxes
should be going out another interface, presumably (my presumption)
through a stateful firewall of some kind, because ACLs wouldn't be
sufficient.
This is perhaps the aspect that has been missed in this discussion
(mentioned once, not particularly picked up on, and not really noted
again). It eliminates many of the concerns of using ACLs over stateful.
- --
Craig Miskell
Systems Administrator, Catalyst IT
DDI: +64 4 8020427
==
Everything about the *nix culture points to not
walking anywhere except possibly to a pub :-P
- Jim Perrin on CentOS mailing list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNyvhEAAoJENezkH+p+mMXTRcQALarm9rALmeYrV9HMD0ydazH
bnqATleLZUlnnzeIh4Qk5T8bVClq0jrpX2Yl0PzGdvly3lM3Vk0GdM7HV7sHP0Ns
1x5Nw2cgk9id0NzltRrKkUPZ9TU3YJTIIyx+vULSIwqEKiQmXE3m3qDTvifsiHBF
ZCh3oa6kKI4rQoGTVtiEUUeJF6AXIF6O4xUaOiGiF1ZxjBvPpCBSNlcDf1SDmu2o
TPNbPS+mp06GKMXaymsSscYogtU35ce3nLQMojEBr0q13RdnIe+y7PK1/bdVeDkt
YU/4FyYIkh6A8VWpGIaWNR75HGNUJY7wl8Qf3fFPcZ8oo681NhnX5vXp/VCbyizv
V6OHbn+LL8bKurRKCPI1YI9G47C384uIClA1PWYEg9W7HETFg86NUFKgHGyISCai
QKn2MHH9KPW4x3OQJkQEfnCaSWHaXjW0DYbRt9Ui+rGrf5bsVntXS2J9Bz8XtB0r
ZGxSeq54u6wr2kXUiFr6Rph9X8MsmJl5P57ROdUbe9WbVEx6fWJ7HoWprePDxVWY
VN8wtWxBuuv0da2Ggf7MS8suHTMWpGQ21PISqjVc1Fe7EzIEOQb8FxWgk7hXR/R2
wFxn5qMICFMWZGpQ2rSoXK/3LgkwXey9Y1RpvMITIVNzVWBiC1RrHiFFm168Gyeg
1Gxybh4HjkVqWbT7dmdU
=6N5Y
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
