Firewall anti-patterns?
What are some of the most common and wrong ways to configure a firewall? I'll start the list with the following:
Blindly blocking ICMP. This was common practice in 1998 when smurf attacks were all the rage. Today you run the risk of creating a PMTU black hole and making it hard to diagnose problems. If you must block ICMP, at least allow fragmentation needed and echo request/replies through.
Stale Rules. It's too bad we can't set an expiration date on rules. When I migrate a service I often forget to remove the rules for the old service.
Opening it up to get it working... then never coming back and locking anything down.
Subsequent to John's example - not using comments against rules if your firewall supports them.
There's nothing worse than seeing a firewall for the first time and seeing all sorts of strange rules that make no sense to the naked eye, and the comments are all blank and there's no documentation.