What Rules Should You Use?
Clearly, most of the rules that you will put into your packet filtering system will be determined by the kinds of traffic you want to accept. There are certain rules you will almost always want to use, however.We've already discussed these rules in various places, but here's a summary list of some standard protections that you should automatically apply unless you have a strong reason to do otherwise:
- Set up an explicit default deny (with logging) so that you are sure that the default behavior is to reject packets.
- Deny inbound traffic that appears to come from internal addresses (this is an indication of forged traffic or bad network configurations).
- Deny outbound traffic that does not appear to come from internal addresses (again, such traffic is either forged or symptomatic of network misconfigurations).
- Deny all traffic with invalid source addresses (including broadcast and multicast source addresses; see "Packets and Protocols ", for more information about broadcast, multicast, and source addresses).
- Deny all traffic with source routes or IP options set.
- Deny ICMP traffic over a reasonable size (a few kilobytes). ICMP filtering rules are discussed further in "Administrative Services".
- Reassemble fragments into entire packets.