30 lines
767 B
Plaintext
30 lines
767 B
Plaintext
Case 1: basic firewall, no DMZ, no NAT
|
|
|
|
|
|
wlan0: internet uplink (10.0.0.x/24)
|
|
eth1: internal network (192.168.111.x/24)
|
|
|
|
Policy:
|
|
- drop all incoming requests (except below), allow all outgoing ones.
|
|
- Log the dropped packets via syslog
|
|
- Take care of FTP
|
|
- Anti-Spoofing Rules
|
|
- Incoming connections to internal network allowed (stateful)
|
|
- ICMP echo request
|
|
- SSH to all internal hosts
|
|
- Incoming connections to firewall:
|
|
- SSH to firewall
|
|
- Incoming connections to server1 (192.168.111.4):
|
|
- One host "server1" accepts FTP, SMTP and HTTP
|
|
|
|
|
|
Case 2: Add DMZ, NAT for internal net
|
|
|
|
eth0: like above
|
|
eth1: internal net (192.168.111.0/24)
|
|
eth2: DMZ (10.2.2.1/24)
|
|
|
|
Policy (like above, but):
|
|
- server1 now lives in DMZ
|
|
- internal network now SNAT'ed (to 10.1.1.2/24)
|