laforge-slides/2005/iptables-firewall-heinlein2005/example2.txt

27 lines
895 B
Plaintext

Internal Network: 10.0.x.1/24
Host10: 10.0.x.10/24
Host11: 10.0.x.11/24
Public IP: 10.0.0.z/24
Layout:
Internal Net --- Firewall --- Public Net
Security policy:
- Stateful Packet Filter for ~64k Connections
- All packets that are not explicitly allowed, have to be dropped
- All packets that are dropped have to be logged
- SSH access from public segment (192.168.100.y/24) to the Firewall itself
- No handling of multicast and/or broadcast packets
- Antispoofing rules for each interface
- All traffic from/to Internal must not be NAT'ed (i.e. public addresses)
- Correct handling of all ICMP Errors
- ICMP echo request / reply allowed stateful
- Host10:
- Administrative access via SSH from any Public Address
- HTTP access from Public Network
- Host11:
- No access from Public Network
- All machines in Internal Network:
- Allowed to initiate any kind of connections to Public Network