CHAPTER 8 | Firewall Deployment Considerations First, a network has a host address range of 192.168.42.140­190. All hosts except for 188, 189, and 190 are allowed access to a certain port. A single rule allowing hosts 140­187 is all that is necessary because the default-deny rule takes care of blocking the remaining non-included hosts. Second, a network has a host address range of 192.168.42.140­190. All hosts except for 165, 171, and 188 are allowed access to a certain port. You need multiple rules to use this configuration. One or more rules must define deny exceptions for 165, 171, and 188, followed by the allow rule of the 140­190 range. If the firewall only allows a single address or a range of addresses per rule, rather than allowing a list of nonsequential addresses, then three deny rules would be necessary in this scenario. In this example, network design and addressing can be used to make firewall rule-set construction either larger and more complex or shorter and more distinct and compact. The latter is preferred both for administrative purposes as well as security and efficiency. If the process of creating rules requires a significant number of special exceptions to modify or adjust ranges of addresses or ports, consider re-configuring the network rather than using a too complex or too long rule set. When designing or writing firewall rules, especially when writing pairs or sets of rules, consider using a single rule or a simpler rule set if the network's addressing scheme, infrastructure design, or subnet layout is adjusted. As another guideline to ordering rule sets, consider placing rules related to more 265 8