Fragmentation and Reassembly of IP Datagrams

Mandatory Firewall Rules for Internet Facing Firewalls

1. Introduction

In a past life I worked for a large company, first as a network firewall administrator and eventually made my into the security team as a network security specialist, responsible for developing and auditing the network security standards. While I wrote many network related standards and best-practices documents, the following was definitely one of my favorites. I had to convert and sanitize the content and while it is very lengthy (and not suitable for a blog), I figured I give it a shot at posting to my site.

A special thanks to Yuri Kopylovski who helped me co-author this guide and to the many folks at who benefited from the content over the years. This was originally published in 2007 under my alias “aciscorouter” and has since been edited to include suggestions from the Anti-Online community.

You will note that the rule order is identified in the first column I provide with the samples under all descriptions (i.e. the very first rule is a drop rule against the firewall and the very last should be a “clean-up” rule).

Continue reading