27 lines
895 B
Plaintext
27 lines
895 B
Plaintext
Internal Network: 10.0.x.1/24
|
|
Host10: 10.0.x.10/24
|
|
Host11: 10.0.x.11/24
|
|
Public IP: 10.0.0.z/24
|
|
|
|
Layout:
|
|
|
|
Internal Net --- Firewall --- Public Net
|
|
|
|
Security policy:
|
|
- Stateful Packet Filter for ~64k Connections
|
|
- All packets that are not explicitly allowed, have to be dropped
|
|
- All packets that are dropped have to be logged
|
|
- SSH access from public segment (192.168.100.y/24) to the Firewall itself
|
|
- No handling of multicast and/or broadcast packets
|
|
- Antispoofing rules for each interface
|
|
- All traffic from/to Internal must not be NAT'ed (i.e. public addresses)
|
|
- Correct handling of all ICMP Errors
|
|
- ICMP echo request / reply allowed stateful
|
|
- Host10:
|
|
- Administrative access via SSH from any Public Address
|
|
- HTTP access from Public Network
|
|
- Host11:
|
|
- No access from Public Network
|
|
- All machines in Internal Network:
|
|
- Allowed to initiate any kind of connections to Public Network
|