Firewall anti-patterns?

firewall

What are some of the most common and wrong ways to configure a firewall? I'll start the list with the following:

Blindly blocking ICMP. This was common practice in 1998 when smurf attacks were all the rage. Today you run the risk of creating a PMTU black hole and making it hard to diagnose problems. If you must block ICMP, at least allow fragmentation needed and echo request/replies through.

Stale Rules. It's too bad we can't set an expiration date on rules. When I migrate a service I often forget to remove the rules for the old service.


Opening it up to get it working... then never coming back and locking anything down.


Subsequent to John's example - not using comments against rules if your firewall supports them.

There's nothing worse than seeing a firewall for the first time and seeing all sorts of strange rules that make no sense to the naked eye, and the comments are all blank and there's no documentation.

Related

Best way to share a folder between KVM host and guest
Someone crashed a whole network with a single switch
SSH keys: why is id_rsa larger than id_rsa.pub?
How to configure Cisco VPNUI shortcut to open a specific host?
Can a single SQL Server instance have multiple names?
Long waiting times before Apache 2.2 server response (Gentoo LAMP)
exported variable not persisted after script execution
How to update/flush dns cache on clients?
yum install obsolete openoffice instead of libreoffice
How do I get ec2 Linux instance info while logged-in on the command-line (public dns, AMI, etc.)
Nginx redirect non-existant files on https to http with try_files
is it possible to install java without the browser plugin?