From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2005/iptables-firewall-heinlein2005/example1.txt | 32 ++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 2005/iptables-firewall-heinlein2005/example1.txt (limited to '2005/iptables-firewall-heinlein2005/example1.txt') diff --git a/2005/iptables-firewall-heinlein2005/example1.txt b/2005/iptables-firewall-heinlein2005/example1.txt new file mode 100644 index 0000000..33f70ce --- /dev/null +++ b/2005/iptables-firewall-heinlein2005/example1.txt @@ -0,0 +1,32 @@ +Internal Network: 10.0.0.1/24 (eth1) +DMZ: 10.23.23.1/24 (eth2) +Server10: 10.23.23.10/24 +Server11: 10.23.23.11/24 +Public IP: 192.168.100.215/24 (eth0) + +Layout: + DMZ + I +Internal Net --- Firewall --- Public Net + + +Security policy: +- Stateful Packet Filter for ~256k Connections +- All packets that are not explicitly allowed, have to be dropped +- All packets that are dropped have to be logged +- No access from the public network to the Firewall itself +- No handling of multicast and/or broadcast packets +- Antispoofing rules for each interface +- All traffic from Internal / DMZ to public must be NAT'ed +- All machines in DMZ + - Allowed to initiate any kind of connection to Public network +- Server10: + - Administrative access via SSH from Public and Internal Network + - HTTP access from Public and Internal Network + - DNS access from Public and Internal Network +- Server11: + - Administrative access via SSH from Public (Port 2222) and Internal Network + - SMTP access from Public and Internal Network +- All machines in Internal Network: + - Allowed to do FTP, SSH, POP3S, IMAP4S to Public Network + - HTTP via transparent proxy on Server11:3128 -- cgit v1.2.3