I'm looking for some input and good ideas from others for firewalling my internal servers on my border router. What methods do you use in firewalling internal servers? I've basically been setting up a few rules per server IP. For example, for a web server, I'll allow port 80, established connections and related connections then drop everything else. Should I be doing anything differently? Any input would be appreciated.
Allow established, related, and then tcp/80 'new' connections. If you allow tcp/80 before established you can get hackers trying mess with existing connections possibly.
If you have a few web servers its nice to be able to use the address-list and setup a list of web server ips, then use that in your dst-address-list filter on the rule. Saves you from having to repeat the same rules for others.
Put some synflood filters in place. Don't allow too many syn's from a single IP address, or too many connections from a single ip address.