@Joe Bloggs yes there is. The implicit deny rule will only be hit if there is no more specific rule higher up in the the firewall ruleset that permits the traffic. In some circumstances you may wish to block traffic, for example, you have a firewall rule allowing "any" source to a hosted webserver. So you would add a deny rule from known bad hosts above the allow rule to ensure those bad hosts cannot access the webserver.
So i appreciate if you have some overly permissive rule and you wanted to stop one specific host from hitting that rule putting a deny in above makes sense.
But if you only have specific ip's talking to specific ip's on specific ports is there any point putting an ACE at the top of the rule base dropping/denying traffic from other hosts?
@Joe Bloggs as mentioned, you may need to use it in some circumstances. Each environment and firewall ruleset is different, configure the rules to meet your needs.
If you have strict ACE with specific IP addresses/networks communicating, then no, you may not require an explict deny rule above.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
