“There are many common configuration problems with firewalls,
ranging in severity and scope. By far the most common problems
relate to what should be blocked or allowed. This is often
problematic because needs change; you may need to allow
video-streaming, for example, and unless done properly, the
addition of new firewall rules can seriously undermine the security
provided by a firewall.”
“Before any changes are made to a firewall, you should sit
down with whoever is responsible and ensure that the changes will
not have unintended side effects. I find that the best way to
do this is to print out the rules and make sure the new rules fit
logically into the existing structure. For example, my rules
typically start with rules to block private and non-routed networks
(like 10.*, 127.*, and so on), followed by ICMP-related rules. Then
I have rules that allow traffic in (SSH, email, WWW and so on);
then, depending on the security required, I block the first 1024
ports (which are usually the most interesting ones), or I have a
default deny policy.”