Case: Customer concerns about firewall configuration. Firewall implemented on Linux server. Firewall includes NAT.
Discovery: During review of firewall configuration I discovered following – total number of lines in configuration are ~5500. Some rules grouped in groups (chains). Some groups have no rules in them. Many rules never have had traffic passing through them.
Advice stage 1: Remove empty groups. Remove rules with no traffic passing through them. Create cpecific group for DROP rules.
Result of stage 1: reduction of lines in firewall configuratio to ~850 lines.
Advice stage 2: Migrate from per-host configuration to per-network configuration.
Results of stage 2: reduction of lines in firewall configuration to ~300 lines.